Link to “Intent to Implement” blink-dev discussion
Intent to Ship: CSP 1.1 [script/style]-[hash/nonce]Contact emailsSpecSummaryCSP 1.1 includes script-src and style-src directives of hashes and nonces. These allow inline scripts to execute that have been whitelisted by the server, even without unsafe-inline. This Intent to Ship will move the hash and nonce directives out from behind the experimental flag.
Link to “Intent to Implement” blink-dev discussionThere was no "Intent to Implement" as the flag already existed and this was an extension of the already implemented Content Security Policy.
Is this feature supported on all five Blink platforms (Windows, Mac, Linux, Chrome OS and Android)?Yes.Compatibility RiskIf sites become heavily dependent on either hash or nonce, this could be very painful to un-ship. It would probably mean that many sites simply couldn't use Content Security Policy at all at that point (which, of course, is the motivation for implementing and shipping this in the first place). This is also not impossible. Many of the standards discussions have debated which is superior, nonce vs hash, as they serve a very similar purpose but with different costs and benefits. The consensus was to ship CSP 1.1 with both, but with the understanding that this may be revisited at a later time to see if one is dominant and perhaps remove the other. On the other hand, if developers like both, the spec might keep both.See this W3C thread on nonce.See this W3C thread on hash.See this W3C thread on the debate between the two.
Most importantly, Firefox has now brought hash and nonce to default in their nightly builds, so we won't be alone on this one. See their bug.
Lgtm2