When was this last updated?

This page was last updated 2026-04-03.

See the full changelog in the article above.

CSP

CSP Browser Support 2026 — Directive Compatibility Table

CSP Level 3 is now well-supported across all major browsers. A handful of newer directives — Trusted Types, script-src-attr, navigate-to — have partial support. Here is the full compatibility picture as of early 2026.

Last updated: 2026-04-03. Browser versions: Chrome 131+, Firefox 133+, Safari 18+, Edge 131+.

Core directives — full support everywhere

Directive	Chrome	Firefox	Safari	Edge
default-src	✅	✅	✅	✅
script-src	✅	✅	✅	✅
style-src	✅	✅	✅	✅
img-src	✅	✅	✅	✅
connect-src	✅	✅	✅	✅
font-src	✅	✅	✅	✅
frame-src	✅	✅	✅	✅
frame-ancestors	✅	✅	✅	✅
object-src	✅	✅	✅	✅
base-uri	✅	✅	✅	✅
form-action	✅	✅	✅	✅
worker-src	✅	✅	✅	✅
manifest-src	✅	✅	✅	✅
media-src	✅	✅	✅	✅
upgrade-insecure-requests	✅	✅	✅	✅
block-all-mixed-content	✅	✅	✅	✅

Nonces, hashes, strict-dynamic

Feature	Chrome	Firefox	Safari	Edge
'nonce-value'	✅	✅	✅	✅
'sha256-hash'	✅	✅	✅	✅
'strict-dynamic'	✅	✅	✅ 15.4+	✅
'unsafe-hashes'	✅	✅	✅ 15.4+	✅
'wasm-unsafe-eval'	✅	✅	✅ 16+	✅

Newer / partial support directives

Directive	Chrome	Firefox	Safari	Edge	Notes
script-src-elem	✅ 90+	✅ 105+	✅ 16+	✅ 90+	Granular control over script elements vs inline handlers
script-src-attr	✅ 90+	✅ 105+	✅ 16+	✅ 90+	Controls inline event handlers separately from scripts
style-src-elem	✅ 90+	✅ 105+	✅ 16+	✅ 90+
require-trusted-types-for 'script'	✅ 83+	⚠️ Partial	❌	✅ 83+	Trusted Types — Safari no support
trusted-types	✅ 83+	⚠️ Partial	❌	✅ 83+	Define Trusted Type policies
navigate-to	❌	❌	❌	❌	Spec'd but no browser has shipped it
report-to	✅ 70+	⚠️ Partial	⚠️ Partial	✅ 70+	Use report-uri as fallback

What changed in 2025–2026

Safari 18 — Added full support for strict-dynamic and unsafe-hashes, closing the main Safari CSP gap
Firefox 105+ — script-src-elem and script-src-attr now fully supported
Chrome 131+ — Improved Trusted Types enforcement, better DevTools violation reporting
SharePoint Online — Began enforcing CSP for all tenant pages March 2026
navigate-to — Still unshipped in all browsers despite being in the spec since CSP3

Practical recommendation

For maximum browser compatibility in 2026, a nonce-based policy with strict-dynamic works across all major browsers including Safari 15.4+. Trusted Types remains Chrome/Edge only — use it for those environments only and do not rely on it for Safari users.

Verify your config → HttpFixer Tools