Microsoft announces support for Content Security Policy Level 2 (CSP2) in Microsoft Edge

With the latest Windows 10 Creators Update Insider build, Microsoft has included support for Content Security Policy Level 2 (CSP2) in Microsoft Edge (EdgeHTML 15.15002) to make it the safest and most secure browser. CSP2 is an effective defense-in-depth mechanism against cross site scripting and content injection attacks.

CSP allowed web developers to lock down the resources that can be used by their web application, helping prevent cross-site scripting attacks that remain a common vulnerability on the web. But it was difficult to implement on websites with inline script elements that either pointed to script sources or that contained script directly.

CSP2 makes these scenarios easier by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value generated on each page load that appears in both the CSP policy and in the script tags in the page. Using nonces can help to minimize maintaining a list of allowed source URL values, while also allowing trusted script declared in script elements to run.

In future, Microsoft is also planning to add support for strict-dynamic from the CSP3 spec to enable developers and site administrators to reduce their reliance on whitelists and tighten their CSP implementations.