CSP3: The 'strict-dynamic' source expression.

The 'strict-dynamic' source expression allows script loaded via nonce- or hash-based whitelists to load other script, simplifying the requirements for deployment, and (hopefully!) making it more likely that CSP can reach more sites.

Demo

Documentation

Specification

Working draft or equivalent

Status in Chromium

Enabled by default (launch bug) in:

  • Chrome for desktop release 52
  • Chrome for Android release 52
  • Android WebView release 52
  • Opera release 39
  • Opera for Android release 39

Consensus & Standardization

  • In development
  • Public support
  • No public signals
  • Positive

Owner

Last updated on 2016-10-28