CSP Browser Support 2026 — Directive Compatibility Table
CSP Level 3 is now well-supported across all major browsers. A handful of newer directives — Trusted Types, script-src-attr, navigate-to — have partial support. Here is the full compatibility picture as of early 2026.
Last updated: 2026-04-03. Browser versions: Chrome 131+, Firefox 133+, Safari 18+, Edge 131+.
Core directives — full support everywhere
| Directive | Chrome | Firefox | Safari | Edge |
|---|---|---|---|---|
| default-src | ✅ | ✅ | ✅ | ✅ |
| script-src | ✅ | ✅ | ✅ | ✅ |
| style-src | ✅ | ✅ | ✅ | ✅ |
| img-src | ✅ | ✅ | ✅ | ✅ |
| connect-src | ✅ | ✅ | ✅ | ✅ |
| font-src | ✅ | ✅ | ✅ | ✅ |
| frame-src | ✅ | ✅ | ✅ | ✅ |
| frame-ancestors | ✅ | ✅ | ✅ | ✅ |
| object-src | ✅ | ✅ | ✅ | ✅ |
| base-uri | ✅ | ✅ | ✅ | ✅ |
| form-action | ✅ | ✅ | ✅ | ✅ |
| worker-src | ✅ | ✅ | ✅ | ✅ |
| manifest-src | ✅ | ✅ | ✅ | ✅ |
| media-src | ✅ | ✅ | ✅ | ✅ |
| upgrade-insecure-requests | ✅ | ✅ | ✅ | ✅ |
| block-all-mixed-content | ✅ | ✅ | ✅ | ✅ |
Nonces, hashes, strict-dynamic
| Feature | Chrome | Firefox | Safari | Edge |
|---|---|---|---|---|
| 'nonce-value' | ✅ | ✅ | ✅ | ✅ |
| 'sha256-hash' | ✅ | ✅ | ✅ | ✅ |
| 'strict-dynamic' | ✅ | ✅ | ✅ 15.4+ | ✅ |
| 'unsafe-hashes' | ✅ | ✅ | ✅ 15.4+ | ✅ |
| 'wasm-unsafe-eval' | ✅ | ✅ | ✅ 16+ | ✅ |
Newer / partial support directives
| Directive | Chrome | Firefox | Safari | Edge | Notes |
|---|---|---|---|---|---|
| script-src-elem | ✅ 90+ | ✅ 105+ | ✅ 16+ | ✅ 90+ | Granular control over script elements vs inline handlers |
| script-src-attr | ✅ 90+ | ✅ 105+ | ✅ 16+ | ✅ 90+ | Controls inline event handlers separately from scripts |
| style-src-elem | ✅ 90+ | ✅ 105+ | ✅ 16+ | ✅ 90+ | |
| require-trusted-types-for 'script' | ✅ 83+ | ⚠️ Partial | ❌ | ✅ 83+ | Trusted Types — Safari no support |
| trusted-types | ✅ 83+ | ⚠️ Partial | ❌ | ✅ 83+ | Define Trusted Type policies |
| navigate-to | ❌ | ❌ | ❌ | ❌ | Spec'd but no browser has shipped it |
| report-to | ✅ 70+ | ⚠️ Partial | ⚠️ Partial | ✅ 70+ | Use report-uri as fallback |
What changed in 2025–2026
- Safari 18 — Added full support for strict-dynamic and unsafe-hashes, closing the main Safari CSP gap
- Firefox 105+ — script-src-elem and script-src-attr now fully supported
- Chrome 131+ — Improved Trusted Types enforcement, better DevTools violation reporting
- SharePoint Online — Began enforcing CSP for all tenant pages March 2026
- navigate-to — Still unshipped in all browsers despite being in the spec since CSP3
Practical recommendation
For maximum browser compatibility in 2026, a nonce-based policy with strict-dynamic works across all major browsers including Safari 15.4+. Trusted Types remains Chrome/Edge only — use it for those environments only and do not rely on it for Safari users.
Verify your config → HttpFixer Tools