W3cubDocs

/Support Tables

Content Security Policy Level 2

Mitigate cross-site scripting attacks by whitelisting allowed sources of script, style, and other resources. CSP 2 adds hash-source, nonce-source, and five new directives

Spec https://www.w3.org/TR/CSP2/
Status W3C Candidate Recommendation
IE Edge Firefox Chrome Safari Opera
      73    
    65 (7) 72    
    64 (7) 71 TP  
11 18 (9) 63 (7) 70 12 56
10 17 (9) 62 (7) 69 11.1 55
9 16 (9) 61 (7) 68 11 54
8 15 (9) 60 (7) 67 10.1 53
Show all
7 14 59 (7) 66 10 52
6 13 58 (7) 65 9.1 51
5.5 12 57 (7) 64 9 50
    56 (7) 63 8 49
    55 (7) 62 7.1 48
    54 (7) 61 7 47
    53 (7) 60 6.1 46
    52 (7) 59 6 45
    51 (7) 58 5.1 44
    50 (7) 57 5 43
    49 (7) 56 4 42
    48 (7) 55 3.2 41
    47 (7) 54 3.1 40
    46 (7) 53   39
    45 (7) 52   38
    44 (3) 51   37
    43 (3) 50   36
    42 (3) 49   35
    41 (3) 48   34
    40 (3) 47   33
    39 (3) 46   32
    38 (3) 45   31
    37 (3) 44   30
    36 (3) 43   29
    35 (2) 42   28
    34 (1) 41   27
    33 (1) 40   26 (5)
    32 (1) 39 (5)   25 (4)
    31 (1) 38 (4)   24 (4)
    30 37 (4)   23 (4)
    29 36 (4)   22
    28 35   21
    27 34   20
    26 33   19
    25 32   18
    24 31   17
    23 30   16
    22 29   15
    21 28   12.1
    20 27   12
    19 26   11.6
    18 25   11.5
    17 24   11.1
    16 23   11
    15 22   10.6
    14 21   10.5
    13 20   10.0-10.1
    12 19   9.5-9.6
    11 18   9
    10 17    
    9 16    
    8 15    
    7 14    
    6 13    
    5 12    
    4 11    
    3.6 10    
    3.5 9    
    3 8    
    2 7    
      6    
      5    
      4    
iOS Safari Opera Mini Android Browser Blackberry Browser Opera Mobile Android Chrome Android Firefox IE Mobile Android UC Browser Samsung Internet QQ Browser Baidu Browser
12 all 67 10 46 70 63 (6) 11 11.8 7.2 1.2 7.12
11.3-11.4   4.4.3-4.4.4 7 12.1     10   6.2    
11.0-11.2   4.4   12         5    
10.3   4.2-4.3   11.5         4    
Show all
10.0-10.2   4.1   11.1              
9.3   4   11              
9.0-9.2   3   10              
8.1-8.4   2.3                  
8   2.2                  
7.0-7.1   2.1                  
6.0-6.1                      
5.0-5.1                      
4.2-4.3                      
4.0-4.1                      
3.2                      

Notes

  1. Firefox 31-34 is missing the plugin-types, child-src, frame-ancestors, base-uri, and form-action directives.

  2. Firefox 35 is missing the plugin-types, child-src, frame-ancestors, and form-action directives.

  3. Firefox 36-44 is missing the plugin-types and child-src directives.

  4. Chrome 36-38 & Opera 23-25 are missing the plugin-types, child-src, frame-ancestors, base-uri, and form-action directives.

  5. Chrome 39 and Opera 26 are missing the plugin-types, child-src, base-uri, and form-action directives.

  6. Firefox 38 on Android is missing the child-src directive.

  7. Firefox 45+ is missing the plugin-types directive.

  8. Edge has broken nonce support as it ignores nonces on sourced scripts.

Bugs

  • Partial support in Edge refers to broken nonce suport which will lead to breakages since sourced script tags with a valid nonce will get blocked.

Resources

Data by caniuse.com
Licensed under the Creative Commons Attribution License v4.0.
http://caniuse.com/#feat=contentsecuritypolicy2