CSP hash expressions can match external scripts.

CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given `Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'`, `<script integrity="sha256-abc123" ...></script>` will be allowed.

Documentation

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src

Specification

Working draft or equivalent

Status in Chromium

Blink components: Blink

Enabled by default (tracking bug) in:

Chrome for desktop release 59
Chrome for Android release 59
Android WebView release 59

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Public support
Edge: No public signals
Safari: No public signals
Web Developers: Positive

Owners

treib@chromium.org
mkwst@chromium.org

Last updated on 2018-01-17