← Back to release summary

CSP3: The 'strict-dynamic' source expression.

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 52)

Intent stage

None

Summary

The 'strict-dynamic' source expression allows script loaded via nonce- or hash-based whitelists to load other script, simplifying the requirements for deployment, and (hopefully!) making it more likely that CSP can reach more sites.

Standards & signals

• Specification: https://w3c.github.io/webappsec-csp/#strict-dynamic-usage
• Firefox: Shipped/Shipping
• Safari: No signal
• Web developers: Positive
• Tracking bug: https://crbug.com/589380

Docs: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives

Samples: https://csp-experiments.appspot.com/unsafe-dynamic

View on chromestatus.com