Chromium has supported Content-Security-Policy (CSP) hash-source with external scripts for years. It's a standard feature included in CSP v3. Firefox and Safari are somehow still missing support...
csplite.com/csp/test161/
It's so much cleaner than using nonces. I don't get it.
Conversation
Firefox/Safari don't support strict CSP in a reasonable way. They're missing several other important security features too, but it doesn't block deploying them for more modern/secure browsers. Trusted Types is easily the most impactful mitigation especially with 'none' policy...
1
6
I don't see a way to deploy external hash-source as a replacement for URL pattern whitelists without breaking Firefox and Safari. Maybe we'll just stop supporting those for attestation.app since I'm ready to deploy this now. I've waited several years and want strict CSP.
