Microsoft Edge Logo

Microsoft Edge support for Content Security Policy Level 2 (CSP2) has been added already in the latest Windows 10 Insider build and will come to all users with the Creators Update.

Since EdgeHTML 15.15002 the feature is turned on by default. It handles whitelists from web developers which limit the execution and rendering of content to only enlisted and trusted sources.

As Microsoft points out, Content Security Policy Level 2 “will help prevent cross-site scripting attacks that remain a common vulnerability on the web”. Any embedded scripts that don´t meet the necessary requirements will not even be downloaded by Microsoft Edge.

To achieve this, Edge checks the Content Security Policy HTTP header for a NonceToken. A nonce is an arbitrary number that can only be used once. This ensures that old communications cannot be reused in replay attacks.

Content Security Policy support of other browsers

Content Security Policy Level 2 is the successor of Content Security Policy 1 and brings some improvements for path components. It also offers five new directives and allows whitelisting of individual inline scripts and stylesheets via nonces.

Content Security Policy Level 3 is already in working draft level and promises further improvements and a much easier integration.

The following charts by caniuse offer a great overview for the major browsers based on their respective version numbers. As you can see, Google Chrome supports both Content Security Policy Level 1 and Level 2 already since version 49. Microsoft Edge has previously supported Content Security Policy Level 1, but integrated it quite late.

According to Microsoft, implementation of the first version of Content Security Policy was difficult to achieve for “websites with inline script elements that either pointed to script sources or that contained script directly.”

Content Security Policy Support Firefox Chrome Edge Opera screenshot caniuse