Mitigate cross-site scripting attacks by whitelisting allowed sources of script, style, and other resources. CSP 2 adds hash-source, nonce-source, and five new directives
Spec | https://www.w3.org/TR/CSP2/ |
---|---|
Status | W3C Candidate Recommendation |
IE | Edge | Firefox | Chrome | Safari | Opera |
---|---|---|---|---|---|
73 | |||||
65 (7) | 72 | ||||
64 (7) | 71 | TP | |||
11 | 18 (9) | 63 (7) | 70 | 12 | 56 |
10 | 17 (9) | 62 (7) | 69 | 11.1 | 55 |
9 | 16 (9) | 61 (7) | 68 | 11 | 54 |
8 | 15 (9) | 60 (7) | 67 | 10.1 | 53 |
Show all | |||||
7 | 14 | 59 (7) | 66 | 10 | 52 |
6 | 13 | 58 (7) | 65 | 9.1 | 51 |
5.5 | 12 | 57 (7) | 64 | 9 | 50 |
56 (7) | 63 | 8 | 49 | ||
55 (7) | 62 | 7.1 | 48 | ||
54 (7) | 61 | 7 | 47 | ||
53 (7) | 60 | 6.1 | 46 | ||
52 (7) | 59 | 6 | 45 | ||
51 (7) | 58 | 5.1 | 44 | ||
50 (7) | 57 | 5 | 43 | ||
49 (7) | 56 | 4 | 42 | ||
48 (7) | 55 | 3.2 | 41 | ||
47 (7) | 54 | 3.1 | 40 | ||
46 (7) | 53 | 39 | |||
45 (7) | 52 | 38 | |||
44 (3) | 51 | 37 | |||
43 (3) | 50 | 36 | |||
42 (3) | 49 | 35 | |||
41 (3) | 48 | 34 | |||
40 (3) | 47 | 33 | |||
39 (3) | 46 | 32 | |||
38 (3) | 45 | 31 | |||
37 (3) | 44 | 30 | |||
36 (3) | 43 | 29 | |||
35 (2) | 42 | 28 | |||
34 (1) | 41 | 27 | |||
33 (1) | 40 | 26 (5) | |||
32 (1) | 39 (5) | 25 (4) | |||
31 (1) | 38 (4) | 24 (4) | |||
30 | 37 (4) | 23 (4) | |||
29 | 36 (4) | 22 | |||
28 | 35 | 21 | |||
27 | 34 | 20 | |||
26 | 33 | 19 | |||
25 | 32 | 18 | |||
24 | 31 | 17 | |||
23 | 30 | 16 | |||
22 | 29 | 15 | |||
21 | 28 | 12.1 | |||
20 | 27 | 12 | |||
19 | 26 | 11.6 | |||
18 | 25 | 11.5 | |||
17 | 24 | 11.1 | |||
16 | 23 | 11 | |||
15 | 22 | 10.6 | |||
14 | 21 | 10.5 | |||
13 | 20 | 10.0-10.1 | |||
12 | 19 | 9.5-9.6 | |||
11 | 18 | 9 | |||
10 | 17 | ||||
9 | 16 | ||||
8 | 15 | ||||
7 | 14 | ||||
6 | 13 | ||||
5 | 12 | ||||
4 | 11 | ||||
3.6 | 10 | ||||
3.5 | 9 | ||||
3 | 8 | ||||
2 | 7 | ||||
6 | |||||
5 | |||||
4 |
iOS Safari | Opera Mini | Android Browser | Blackberry Browser | Opera Mobile | Android Chrome | Android Firefox | IE Mobile | Android UC Browser | Samsung Internet | QQ Browser | Baidu Browser |
---|---|---|---|---|---|---|---|---|---|---|---|
12 | all | 67 | 10 | 46 | 70 | 63 (6) | 11 | 11.8 | 7.2 | 1.2 | 7.12 |
11.3-11.4 | 4.4.3-4.4.4 | 7 | 12.1 | 10 | 6.2 | ||||||
11.0-11.2 | 4.4 | 12 | 5 | ||||||||
10.3 | 4.2-4.3 | 11.5 | 4 | ||||||||
Show all | |||||||||||
10.0-10.2 | 4.1 | 11.1 | |||||||||
9.3 | 4 | 11 | |||||||||
9.0-9.2 | 3 | 10 | |||||||||
8.1-8.4 | 2.3 | ||||||||||
8 | 2.2 | ||||||||||
7.0-7.1 | 2.1 | ||||||||||
6.0-6.1 | |||||||||||
5.0-5.1 | |||||||||||
4.2-4.3 | |||||||||||
4.0-4.1 | |||||||||||
3.2 |
Firefox 31-34 is missing the plugin-types, child-src, frame-ancestors, base-uri, and form-action directives.
Firefox 35 is missing the plugin-types, child-src, frame-ancestors, and form-action directives.
Firefox 36-44 is missing the plugin-types and child-src directives.
Chrome 36-38 & Opera 23-25 are missing the plugin-types, child-src, frame-ancestors, base-uri, and form-action directives.
Chrome 39 and Opera 26 are missing the plugin-types, child-src, base-uri, and form-action directives.
Firefox 38 on Android is missing the child-src directive.
Firefox 45+ is missing the plugin-types directive.
Edge has broken nonce support as it ignores nonces on sourced scripts.
Partial support in Edge refers to broken nonce suport which will lead to breakages since sourced script tags with a valid nonce will get blocked.
Data by caniuse.com
Licensed under the Creative Commons Attribution License v4.0.
http://caniuse.com/#feat=contentsecuritypolicy2