← Back to release summary

CSP hash expressions can match external scripts.

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 59)

Intent stage

None

Summary

CSP3 allows hash expressions to match external scripts, by relying on SRI as underlying infrastructure. That is, given `Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'`, `<script integrity="sha256-abc123" ...></script>` will be allowed.

Standards & signals

• Specification: https://w3c.github.io/webappsec-csp/#external-hash
• Firefox: Positive
• Safari: No signal
• Web developers: Positive
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=706380

Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src

View on chromestatus.com