+1

It'd be helpful if we could list which CSP directives were introduced after the initial level 3 specification was released.

Some new directives are:

script-src-attr, script-src-elem, style-src-attr, style-src-elem, prefetch-src, strict-dynamic, unsafe-hashes (renamed from unsafe-hashed-attributes, Chrome status: https://www.chromestatus.com/feature/5867082285580288):

Proposed directives: wasm-unsafe-eval (renamed from wasm-eval), webrtc-src and trusted-types (relates to: #4787).

For reference, here's other issues related to individual CSP directives support:

• require-sri-for Add 'require-sri-for' CSP Directive #2674
• frame-ancestors Support for the frame-ancestors directive #2335

wasm-unsafe-eval is supposedly in Chrome 97. It was also implemented in WebKit in February, but I can't see a Safari release tag that applies to the commit. It may be in iOS 15.4/Mac OS X 10.15.6, which have not yet been tagged, or a later release.

Another feature worth including is external hashes, which essentially let you declare a list of allowed SRI hashes.