← Back to release summary

CSP: `script-src-attr`, `script-src-elem`, `style-src-attr`, `style-src-elem` directives

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 75)

Intent stage

Prepare to ship

Summary

These 4 new directives provide the functionality of the script/style directive but with more granularity, applying to elements or attributes.

Standards & signals

• Specification: https://w3c.github.io/webappsec-csp/
• Firefox: No signal
• Safari: No signal
• Web developers: Positive — The SEAM Google team has plans for using this feature for a static page automatic CSP system. Also interest has been expressed for a method of only enabling "style" attributes to prevent CSS based attacks (as the one linked above).
• Tracking bug: http://crbug.com/880816

Docs: https://w3c.github.io/webappsec-csp/#directive-script-src-attr https://w3c.github.io/webappsec-csp/#directive-script-src-elem https://w3c.github.io/webappsec-csp/#directive-style-src-attr https://w3c.github.io/webappsec-csp/#directive-style-src-elem

Explainers: https://docs.google.com/document/d/1_nYS4gWYO2Oh8rYDyPglXIKNsgCRVhmjHqWlTAHst7c/edit?usp=sharing (the "Directives specific for script and style attributes and elements (option 2)" section in particular)

View on chromestatus.com