CSP3: The 'strict-dynamic' source expression.

The 'strict-dynamic' source expression allows script loaded via nonce- or hash-based whitelists to load other script, simplifying the requirements for deployment, and (hopefully!) making it more likely that CSP can reach more sites.

Demo

• https://csp-experiments.appspot.com/unsafe-dynamic

Documentation

• https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives

Specification

Working draft or equivalent

Status in Chromium

Blink components: Blink

Enabled by default (launch bug) in:

• Chrome for desktop release 52
• Chrome for Android release 52
• Android WebView release 52
• Opera release 39
• Opera for Android release 39

Consensus & Standardization

• Firefox: Shipped
• Edge: Public support
• Safari: No public signals
• Web Developers: Positive

Owner

• mkwst@chromium.org

Last updated on 2017-08-09