CSP3: unsafe-hashed-attributes

'unsafe-hashed-attributes' is a feature in CSP3 which allows developers to enable specific event handlers without needing to use the less safe 'unsafe-inline' keyword. If 'unsafe-hashed-attributes' is present, inline event handlers are allowed to match against hashes specified by the 'script-src' directive (or its fallback if not present).

Specification

Editor's draft

Status in Chromium

Blink>SecurityFeature>ContentSecurityPolicy


Enabled by default (tracking bug) in:

  • Chrome for desktop release 69
  • Chrome for Android release 69
  • Android WebView release 69

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • Positive

Owner

Last updated on 2019-05-01