Content Security Policy Level 2

Mitigate cross-site scripting attacks by only allowing certain sources of script, style, and other resources. CSP 2 adds hash-source, nonce-source, and five new directives

Spec	https://www.w3.org/TR/CSP2/
Status	W3C Recommendation

IE	Edge	Firefox	Chrome	Safari	Opera
			98
		95 ⁽⁷⁾	97
		94 ⁽⁷⁾	96	TP
11	95	93 ⁽⁷⁾	95	15	80
10	94	92 ⁽⁷⁾	94	14.1	79
9	93	91 ⁽⁷⁾	93	14	78
8	92	90 ⁽⁷⁾	92	13.1	77
Show all
7	91	89 ⁽⁷⁾	91	13	76
6	90	88 ⁽⁷⁾	90	12.1	75
5.5	89	87 ⁽⁷⁾	89	12	74
	88	86 ⁽⁷⁾	88	11.1	73
	87	85 ⁽⁷⁾	87	11	72
	86	84 ⁽⁷⁾	86	10.1	71
	85	83 ⁽⁷⁾	85	10	70
	84	82 ⁽⁷⁾	84	9.1	69
	83	81 ⁽⁷⁾	83	9	68
	81	80 ⁽⁷⁾	81	8	67
	80	79 ⁽⁷⁾	80	7.1	66
	79	78 ⁽⁷⁾	79	7	65
	18 ⁽⁹⁾	77 ⁽⁷⁾	78	6.1	64
	17 ⁽⁹⁾	76 ⁽⁷⁾	77	6	63
	16 ⁽⁹⁾	75 ⁽⁷⁾	76	5.1	62
	15 ⁽⁹⁾	74 ⁽⁷⁾	75	5	60
	14	73 ⁽⁷⁾	74	4	58
	13	72 ⁽⁷⁾	73	3.2	57
	12	71 ⁽⁷⁾	72	3.1	56
		70 ⁽⁷⁾	71		55
		69 ⁽⁷⁾	70		54
		68 ⁽⁷⁾	69		53
		67 ⁽⁷⁾	68		52
		66 ⁽⁷⁾	67		51
		65 ⁽⁷⁾	66		50
		64 ⁽⁷⁾	65		49
		63 ⁽⁷⁾	64		48
		62 ⁽⁷⁾	63		47
		61 ⁽⁷⁾	62		46
		60 ⁽⁷⁾	61		45
		59 ⁽⁷⁾	60		44
		58 ⁽⁷⁾	59		43
		57 ⁽⁷⁾	58		42
		56 ⁽⁷⁾	57		41
		55 ⁽⁷⁾	56		40
		54 ⁽⁷⁾	55		39
		53 ⁽⁷⁾	54		38
		52 ⁽⁷⁾	53		37
		51 ⁽⁷⁾	52		36
		50 ⁽⁷⁾	51		35
		49 ⁽⁷⁾	50		34
		48 ⁽⁷⁾	49		33
		47 ⁽⁷⁾	48		32
		46 ⁽⁷⁾	47		31
		45 ⁽⁷⁾	46		30
		44 ⁽³⁾	45		29
		43 ⁽³⁾	44		28
		42 ⁽³⁾	43		27
		41 ⁽³⁾	42		26 ⁽⁵⁾
		40 ⁽³⁾	41		25 ⁽⁴⁾
		39 ⁽³⁾	40		24 ⁽⁴⁾
		38 ⁽³⁾	39 ⁽⁵⁾		23 ⁽⁴⁾
		37 ⁽³⁾	38 ⁽⁴⁾		22
		36 ⁽³⁾	37 ⁽⁴⁾		21
		35 ⁽²⁾	36 ⁽⁴⁾		20
		34 ⁽¹⁾	35		19
		33 ⁽¹⁾	34		18
		32 ⁽¹⁾	33		17
		31 ⁽¹⁾	32		16
		30	31		15
		29	30		12.1
		28	29		12
		27	28		11.6
		26	27		11.5
		25	26		11.1
		24	25		11
		23	24		10.6
		22	23		10.5
		21	22		10.0-10.1
		20	21		9.5-9.6
		19	20		9
		18	19
		17	18
		16	17
		15	16
		14	15
		13	14
		12	13
		11	12
		10	11
		9	10
		8	9
		7	8
		6	7
		5	6
		4	5
		3.6	4
		3.5
		3
		2

Safari on iOS	Opera Mini	Android Browser	Blackberry Browser	Opera Mobile	Android Chrome	Android Firefox	IE Mobile	Android UC Browser	Samsung Internet	QQ Browser	Baidu Browser	KaiOS Browser
15	all	94	10	64	94	92 ⁽⁶⁾	11	12.12	15.0	10.4	7.12	2.5 ⁽⁷⁾
14.5-14.8		4.4.3-4.4.4	7	12.1			10		14.0
14.0-14.4		4.4		12					13.0
13.4-13.7		4.2-4.3		11.5					12.0
Show all
13.3		4.1		11.1					11.1-11.2
13.2		4		11					10.1
13.0-13.1		3		10					9.2
12.2-12.5		2.3							8.2
12.0-12.1		2.2							7.2-7.4
11.3-11.4		2.1							6.2-6.4
11.0-11.2									5.0-5.4
10.3									4
10.0-10.2
9.3
9.0-9.2
8.1-8.4
8
7.0-7.1
6.0-6.1
5.0-5.1
4.2-4.3
4.0-4.1
3.2

Notes

Firefox 31-34 is missing the plugin-types, child-src, frame-ancestors, base-uri, and form-action directives.
Firefox 35 is missing the plugin-types, child-src, frame-ancestors, and form-action directives.
Firefox 36-44 is missing the plugin-types and child-src directives.
Chrome 36-38 & Opera 23-25 are missing the plugin-types, child-src, frame-ancestors, base-uri, and form-action directives.
Chrome 39 and Opera 26 are missing the plugin-types, child-src, base-uri, and form-action directives.
Firefox 38 on Android is missing the child-src directive.
Firefox 45+ is missing the plugin-types directive.
Edge has broken nonce support as it ignores nonces on sourced scripts.

Bugs

Partial support in Edge refers to broken nonce suport which will lead to breakages since sourced script tags with a valid nonce will get blocked.

Resources

Data by caniuse.com
Licensed under the Creative Commons Attribution License v4.0.
https://caniuse.com/contentsecuritypolicy2