'unsafe-hashes' is a feature in CSP3 which allows developers to enable specific event handlers without needing to use the less safe 'unsafe-inline' keyword. If 'unsafe-hashes' is present, inline event handlers are allowed to match against hashes specified by the 'script-src' directive (or its fallback if not present).
Specification
Specification being incubated in a Community Group
Status in Chromium
Blink>SecurityFeature>ContentSecurityPolicy
Enabled by default
(tracking bug)
Consensus & Standardization
After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.
- No signal
- No signal
- Positive
Owner
Last updated on 2021-09-24