Content Security Policy Level 2

Mitigate cross-site scripting attacks by only allowing certain sources of script, style, and other resources. CSP 2 adds hash-source, nonce-source, and five new directives

Spec	https://www.w3.org/TR/CSP2/
Status	W3C Recommendation

IE	Edge	Firefox	Chrome	Safari	Opera
			108
		107	107	TP
		106	106	16.1
11	105	105	105	16.0	91
10	104	104	104	15.6	90
9	103	103	103	15.5	89
8	102	102	102	15.4	88
Show all
7	101	101	101	15.2-15.3	87
6	100	100	100	15.1	86
5.5	99	99	99	15	85
	98	98	98	14.1	84
	97	97	97	14	83
	96	96	96	13.1	82
	95	95	95	13	81
	94	94	94	12.1	80
	93	93	93	12	79
	92	92	92	11.1	78
	91	91	91	11	77
	90	90	90	10.1	76
	89	89	89	10	75
	88	88	88	9.1	74
	87	87	87	9	73
	86	86	86	8	72
	85	85	85	7.1	71
	84	84	84	7	70
	83	83	83	6.1	69
	81	82	81	6	68
	80	81	80	5.1	67
	79	80	79	5	66
	18 (6)	79	78	4	65
	17 (6)	78	77	3.2	64
	16 (6)	77	76	3.1	63
	15 (6)	76	75		62
	14	75	74		60
	13	74	73		58
	12	73	72		57
		72	71		56
		71	70		55
		70	69		54
		69	68		53
		68	67		52
		67	66		51
		66	65		50
		65	64		49
		64	63		48
		63	62		47
		62	61		46
		61	60		45
		60	59		44
		59	58		43
		58	57		42
		57	56		41
		56	55		40
		55	54		39
		54	53		38
		53	52		37
		52	51		36
		51	50		35
		50	49		34
		49	48		33
		48	47		32
		47	46		31
		46	45		30
		45	44		29
		44 (3)	43		28
		43 (3)	42		27
		42 (3)	41		26 (5)
		41 (3)	40		25 (4)
		40 (3)	39 (5)		24 (4)
		39 (3)	38 (4)		23 (4)
		38 (3)	37 (4)		22
		37 (3)	36 (4)		21
		36 (3)	35		20
		35 (2)	34		19
		34 (1)	33		18
		33 (1)	32		17
		32 (1)	31		16
		31 (1)	30		15
		30	29		12.1
		29	28		12
		28	27		11.6
		27	26		11.5
		26	25		11.1
		25	24		11
		24	23		10.6
		23	22		10.5
		22	21		10.0-10.1
		21	20		9.5-9.6
		20	19		9
		19	18
		18	17
		17	16
		16	15
		15	14
		14	13
		13	12
		12	11
		11	10
		10	9
		9	8
		8	7
		7	6
		6	5
		5	4
		4
		3.6
		3.5
		3
		2

Safari on iOS	Opera Mini	Android Browser	Blackberry Browser	Opera Mobile	Android Chrome	Android Firefox	IE Mobile	Android UC Browser	Samsung Internet	QQ Browser	Baidu Browser	KaiOS Browser
16.1
16.0	all	105	10	64	105	104	11	13.4	18.0	13.1	13.18	2.5
15.6		4.4.3-4.4.4	7	12.1			10		17.0
15.5		4.4		12					16.0
15.4		4.2-4.3		11.5					15.0
Show all
15.2-15.3		4.1		11.1					14.0
15.0-15.1		4		11					13.0
14.5-14.8		3		10					12.0
14.0-14.4		2.3							11.1-11.2
13.4-13.7		2.2							10.1
13.3		2.1							9.2
13.2									8.2
13.0-13.1									7.2-7.4
12.2-12.5									6.2-6.4
12.0-12.1									5.0-5.4
11.3-11.4									4
11.0-11.2
10.3
10.0-10.2
9.3
9.0-9.2
8.1-8.4
8
7.0-7.1
6.0-6.1
5.0-5.1
4.2-4.3
4.0-4.1
3.2

Notes

1. Firefox 31-34 is missing the child-src, frame-ancestors, base-uri, and form-action directives.

2. Firefox 35 is missing the child-src, frame-ancestors, and form-action directives.

3. Firefox 36-44 is missing the child-src directives.

4. Chrome 36-38 & Opera 23-25 are missing the child-src, frame-ancestors, base-uri, and form-action directives.

5. Chrome 39 and Opera 26 are missing the child-src, base-uri, and form-action directives.

6. Edge has broken nonce support as it ignores nonces on sourced scripts.

Bugs

• Partial support in Edge refers to broken nonce suport which will lead to breakages since sourced script tags with a valid nonce will get blocked.

Resources

• HTML5Rocks article
• MDN Web Docs - Content Security Policy