Is content security policy advanced compatible?

Question

Is content security policy advanced compatible?

If script-src: hash-source used in a browser that does not understand hash-source , does the browser ignore all script-src: or even all CSP? Or will it ignore only the hash-source ?

More generally, do browsers implement CSP in forward compatibility mode?

+7

content-security-policy

Jonas H. Dec 08 '16 at 8:19

source share

2 answers

Browsers that do not understand hash source elements may trigger a warning in the console, but they may not do so well. The recommended approach is to use user agent sniffing to detect support or send as 'unsafe-inline' with your hash source values.

User agents that understand hash sources will ignore 'unsafe-inline' , and those that do not return to 'unsafe-inline' . So it is backward compatible.

+2

oreoshake Dec 08 '16 at 18:59

source share

Niklas B. · Accepted Answer · 2016-12-21T16:26:15+0000

What was said speaks of backward compatibility. The process of determining the correspondence of an element is described in the section in section 6.6.2.2 of the CSP project standard : If there is a hash-source or nonce-source , the unsafe-inline ignored using user agents:

The source list allows all the built-in behavior of the specified type if it contains the keyword expression "unsafe-inline" and does not override this expression, as described in the following algorithm:
[...]
If the expression matches the nonce-source or hash-source grammar, return "Do not allow."

In addition, CSP 2 defines the process of parsing the source list with unknown tokens as follows:

For each token returned by splitting the source list into spaces, if the token matches the grammar of the source expression, add the token to the set of source expressions.

Otherwise, it should be ignored. It is so clear that the authors assumed at least a certain level of advanced compatibility.

Is content security policy advanced compatible?

More articles: