CSP: `script-src-attr`, `script-src-elem`, `style-src-attr`, `style-src-elem` directives

These 4 new directives provide the functionality of the script/style directive but with more granularity, applying to elements or attributes.

Documentation

Specification

Editor's draft

Status in Chromium

Blink>SecurityFeature>ContentSecurityPolicy


Enabled by default (tracking bug) in:

  • Chrome for desktop release 75
  • Chrome for Android release 75
  • Android WebView release 75

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Mixed public signals
  • Mixed public signals
  • Mixed public signals
  • Positive

Owner

Intent to Implement url

Intent to Implement thread

Last updated on 2019-03-18