tl;dr

The strict-dynamic source list keyword allows you to simplify your CSP policy by favoring hashes and nonces over domain host lists.

The key super power of strict-dynamic is that it will allow to load additional scripts via non-"parser-inserted" script elements.

For unsupported browsers Show archive.org snapshot , your script can be made backwards compatible by doing something like this:

script-src 'nonce-rAnd0m' 'strict-dynamic' https: 'self'
default-src 'self';

Opscomplete powered by

Save money by migrating from AWS to our fully managed hosting in Germany.

• Trusted by over 100 customers
• Ready to use with Ruby, Node.js, PHP
• Proactive management by operations experts

Read more Show archive.org snapshot

With 'strict-dynamic' the https: entry will be ignored by modern browsers. Older browsers will allow the loading of scripts from any URL.

Does not affect CSS or Images

img-src and style-src directives still apply.

Read further

A good default CSP can be found at Strict CSP Show archive.org snapshot .