The 'strict-dynamic' source expression allows script loaded via nonce- or hash-based whitelists to load other script, simplifying the requirements for deployment, and (hopefully!) making it more likely that CSP can reach more sites.
Demo
Documentation
Specification
Specification currently under development in a Working Group
Status in Chromium
Enabled by default
(tracking bug)
Consensus & Standardization
After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.
- Shipped/Shipping
- Positive
- No signal
- Positive
Owner
Last updated on 2020-11-09