Support individual CSP rules

[demee]

I think it would be nice if I could look for the individual directive and see which browser they apply to. I.e. I could search for new Level 3 individual directive like script-src-elem.

Thank You.

[Malvoz]

+1

[Malvoz]

It'd be helpful if we could list which CSP directives were introduced after the initial level 3 specification was released.

Some new directives are:

script-src-attr, script-src-elem, style-src-attr, style-src-elem, prefetch-src, strict-dynamic, unsafe-hashes (renamed from unsafe-hashed-attributes, Chrome status: https://www.chromestatus.com/feature/5867082285580288):

Proposed directives: wasm-unsafe-eval (renamed from wasm-eval), webrtc-src and trusted-types (relates to: #4787).

[Malvoz]

For reference, here's other issues related to individual CSP directives support:

• require-sri-for Add 'require-sri-for' CSP Directive #2674
• frame-ancestors Support for the frame-ancestors directive #2335

[GreenReaper]

wasm-unsafe-eval is supposedly in Chrome 97. It was also implemented in WebKit in February, but I can't see a Safari release tag that applies to the commit. It may be in iOS 15.4/Mac OS X 10.15.6, which have not yet been tagged, or a later release.

[Seirdy]

Another feature worth including is external hashes, which essentially let you declare a list of allowed SRI hashes.