The 'strict-dynamic' source expression allows script loaded via nonce- or hash-based whitelists to load other script, simplifying the requirements for deployment, and (hopefully!) making it more likely that CSP can reach more sites.

Demo

Documentation

Specification

Specification link


Specification currently under development in a Working Group

Status in Chromium

Blink


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Shipped/Shipping
  • Positive
  • No signal
  • Positive

Owner

Last updated on 2020-11-09