CSP3: The 'strict-dynamic' source expression.
The 'strict-dynamic' source expression allows script loaded via nonce- or hash-based whitelists to load other script, simplifying the requirements for deployment, and (hopefully!) making it more likely that CSP can reach more sites.
Status in Chromium
Enabled by default (tracking bug) in:
- Chrome for desktop release 52
- Chrome for Android release 52
- Android WebView release 52
Consensus & Standardization
- Public support
- No public signals
Last updated on 2017-08-09