Published: November 17, 2025
From Chrome 141, you can join the origin trial to test the new Content Security Policy (CSP) features Chrome is introducing. These features help websites protect themselves against XSS by better allowlisting known sources of JavaScript. Allowlisting known JavaScript, and blocking all other sources, is an effective way to prevent XSS. Attacker injected JavaScript won't be on the allowlist, and therefore is blocked.
Without these features, it's difficult to have a "strict" CSP that allowlists all JavaScript sources without having a nonce communication mechanism between the script host and the site, or knowing the full hash of the script in advance. Both of these methods are difficult to deploy if the script both changes frequently and is hosted by a trusted, but separate third-party. Additionally, if any script needs to use eval, CSP currently requires that you allowlist eval for all scripts, making it much weaker.
We're attempting to address this gap by providing a stronger mechanism for
URL-based allowlisting of scripts in script-src, and a mechanism for
allowlisting calls to eval. You'll be able to use the existing hash mechanism in
script-src to allowlist URLs of specific scripts, and JavaScript passed to
eval (and other eval-like functions). While URL-based allowlisting is perhaps
not as strict as an integrity-based CSP, this mechanism should be a great
improvement on the existing hostname allowlist.
We believe that this provides an easier to deploy CSP policy that still robustly mitigates XSS by blocking unallowed inline and eval scripts. These new features are carefully designed and implemented to enable sites to set a policy that provides better security in browsers that support the new functionality, without causing breakage or regressing security in browsers that don't, without having to do user-agent sniffing.
Use cases
Allowlist specific URLs for use with script-src
Sites that want to allowlist specific scripts for use with script-src currently
have two options: allowlist the scripts contents through subresource integrity
(SRI), or use host-source to allowlist hostnames. SRI is often not practical for
scripts that change often (for example, analytics scripts). Specifying
host-source will be ignored when strict-dynamic is also set, and is not a
comprehensive protection, since it does not include URL parameters. This change
will permit allowlisting scripts using a hash of their (full) URL, supporting
both dynamic scripts and configurations that use strict-dynamic.
Allowlist specific scripts for use with eval or eval-like functions
Some sites require the use of eval or eval-like functions (passing code as
string literals in setTimeout, setInterval, and setImmediate). For these sites,
the only CSP option available to them is unsafe-eval, which enables all calls
to eval. We are adding a mechanism to allowlist specific inputs to eval. This
new mechanism permits narrowly allowlisting the specific scripts needed by
hashing the script contents directly, rather than being forced to provide an
overly broad unsafe-eval CSP.
Get started
To try out script and eval hashing support, join the
URL and eval hashes in CSP script-src origin trial,
running from Chrome 141 to 144.
Add hashes to script-src
URLs are allowlisted by adding a value to the script-src CSP directive in the
form of url-<hash-algorithm>-<script-url-hash>. This will permit whatever
content that that URL serves, regardless of content, to execute. The hash need
only include the initial URL (the URL included on the page), not any URL that
that URL redirects to. Both absolute and relative URLs are supported.
For example, the following CSP header will allowlist the script served at https://example.com/example.js:
Content-Security-Policy: script-src 'sha256-u2cYltM/2wbvoRR0jMZ57KmFdVqqdPYa6GtdykFwBGc=';
where 'sha256-u2cYltM/2wbvoRR0jMZ57KmFdVqqdPYa6GtdykFwBGc=' is the sha256 hash
of 'https://example.com/example.js'.
Scripts evaluated through eval or new Function can be allowlisted by
including eval-<hash-algorithm>-<script-contents-hash> to script src. For
example, the following CSP header will allowlist passing the string
alert("hello world") to eval():
Content-Security-Policy: script-src 'eval-sha256-4vpsisrBP00v+tF/SsQ3RXWWYF28JSvTpR9D/wrxn/0=';
where 'eval-sha256-4vpsisrBP00v+tF/SsQ3RXWWYF28JSvTpR9D/wrxn/0=' is the sha256
hash of alert("hello world").
To help bootstrap adoption, when a site opts into the origin trial, hashes for
both URLs and eval will be printed to the DevTools console and included in CSP
reports. This means a strict, but report-only policy, can be used to enumerate
all the hashes needed for allowlisting.
Maintain backwards compatibility
To permit deployment of these policies before all browsers have added support, URL hashes can be listed after host-based allowlists. Browsers that understand the new hash types will ignore preceding host-based allowlists, while browsers that don't understand the new hash types will still enforce the host-based allowlist, allowing sites to set both, using the stricter policy in browsers that support it, without having to risk breakage in browsers that don't, as shown in the following example.
Content-Security-Policy: script-src 'https:' 'url-sha256-u2cYltM/2wbvoRR0jMZ57KmFdVqqdPYa6GtdykFwBGc='
We've also introduced strict-dynamic-url, an equivalent of strict-dynamic that only applies when URL hashes are set. Since strict-dynamic causes host based allowlists to be ignored, a site that wants to allowlist a specific hash and have strict dynamic apply to it can use a policy like:
Content-Security-Policy: https: 'strict-dynamic-url' 'url-sha256-u2cYltM/2wbvoRR0jMZ57KmFdVqqdPYa6GtdykFwBGc='
In this example, browsers that don't yet support hashes will only enforce
https:. unsafe-eval will similarly be ignored by supporting browsers when
eval hashes are present. For example, the following policy will be evaluated as
unsafe-eval. This enables all eval() use on browsers that don't yet
support eval hashes, while only permitting the eval() of alert("hello world")
among browsers that support eval hashes.
Content-Security-Policy: script-src "unsafe-eval" "'eval-sha256-4vpsisrBP00v+tF/SsQ3RXWWYF28JSvTpR9D/wrxn/0='"
Share feedback
We're interested in feedback from developers about these extensions to
script-src. Post any comments as an issue on the explainer in
github.