Microsoft introduces support for Content Security Policy Level (CSP2) in Microsoft Edge. It is another step taken by the company to make Microsoft Edge safe and more secure.
This is now available in the Insider Fast Ring, and it will start with EdgeHTML 15.15002 and in time, it will go on to become part of the stable builds with the
Windows 10 Creators Update.
Image Source: blogs.windows.com
The Content Security Policy supports the entire version of Microsoft Edge, allowing web developers to lock down the resources which can be used by their web application, helping them to prevent cross-site scripting attack that is considered quite a common vulnerability on the web.
CSP2 makes these particular scenarios easier, by adding support for nonces and hashes for script and style resources.
Microsoft states,
“A nonce is a cryptographically strong random value generated on each page load that appears in both the CSP policy and in the script tags in the page.”
The use of nonces will help you to minimize maintaining the list of allowed source URL values, while at the same time, allowing trusted script declared in script elements to run.
When the page is dynamically generated on load, the Server generates a nonce value, which inserts it into the NonceToken in the page and declares the Content Security Policy HTTP header.
The CSP configuration allows script to be downloaded as well as executed from the page’s own domain, or from
https://example.com. If a script source declaration in the page includes the correct nonce value, regardless of the source URL, then that particular script can easily be downloaded and executed.
Script that does not meet these requirements cannot be downloaded by Microsoft Edge. Additionally, any inline script which had the correct nonce value would be allowed to execute, however no other inline script would run.