Safari on OSX and MS Edge both support at least some of CSP 2, e.g. CSP via meta tags, which Firefox did not last time I looked.
From: Brian Smith [mailto:brian@briansmith.org]
Sent: 05 October 2015 18:07
To: Mike West <mkwst@google.com>
Cc: public-webappsec@w3.org; Brad Hill <hillbrad@gmail.com>; Dan Veditz <dveditz@mozilla.com>; Mark Nottingham <mnot@mnot.net>; Travis Leithead <Travis.Leithead@microsoft.com>
Subject: Re: Non-browser implementation of CSP (was Re: CSP3 as a polylithic set of modules?)
On Mon, Oct 5, 2015 at 2:46 AM, Mike West <mkwst@google.com <mailto:mkwst@google.com> > wrote:
On Thu, Oct 1, 2015 at 7:39 PM, Brian Smith <brian@briansmith.org <mailto:brian@briansmith.org> > wrote:
One of the problems with CSP as enforced in browsers today is that, even when the browser blocks an XSS from loading some content, the HTML of the XSS is still in the DOM. I'd like to find some way of preventing the XSS from ever making it into the DOM. And, I'd like to be able to separate out the parts of CSP that can be done production-side from the parts that have to be done by the browser (e.g. redirects).
What is the value of that separation?
I understand that it could help template-engine developers add CSP-related features into their engines. Is that the extent of the benefit?
Yes, but anything that would encourage the development of template-engine-enforced CSP would be a large benefit. That's especially true if Safari and MSIE aren't implementing CSP 2 any time soon.
Cheers,
Brian
--
https://briansmith.org/