CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given `Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'`, `<script integrity="sha256-abc123" ...></script>` will be allowed.
Documentation
Specification
Status in Chromium
Enabled by default (tracking bug) in:
- Chrome for desktop release 59
- Chrome for Android release 59
- Android WebView release 59
Consensus & Standardization
After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.
- Positive
- No signal
- No signal
- Positive
Owners
Last updated on 2020-11-09