feat: stabilize CSP

astro.sidebar.ts

@@ -144,7 +144,6 @@ export const sidebar = [
 			group('reference.experimental', {
 				items: [
 					'reference/experimental-flags',
-					'reference/experimental-flags/csp',
 					'reference/experimental-flags/fonts',
 					'reference/experimental-flags/client-prerender',
 					'reference/experimental-flags/content-intellisense',

src/content/docs/en/guides/integrations-guide/netlify.mdx

@@ -424,14 +424,14 @@ Enables specifying custom headers for prerendered pages in Netlify's configurati
 
 If enabled, the adapter will save [static headers in the Framework API config file](https://docs.netlify.com/frameworks-api/#headers) when provided by Astro features, such as Content Security Policy.
 
-For example, when [experimental Content Security Policy](/en/reference/experimental-flags/csp/) is enabled, `experimentalStaticHeaders` can be used to add the CSP `headers` to your Netlify configuration, instead of creating a `<meta>` element:
+For example, when [Content Security Policy](/en/reference/configuration-reference/#securitycsp) is enabled, `experimentalStaticHeaders` can be used to add the CSP `headers` to your Netlify configuration, instead of creating a `<meta>` element:
 
 ```js title="astro.config.mjs" {9}
 import { defineConfig } from 'astro/config';
 import netlify from '@astrojs/netlify';
 
 export default defineConfig({
-  experimental: {
+  security: {
     csp: true
   },
   adapter: netlify({

src/content/docs/en/guides/integrations-guide/node.mdx

@@ -144,15 +144,14 @@ export default defineConfig({
 
 If enabled, the adapter will serve the headers of prerendered pages using the `Response` object when provided by Astro features, such as Content Security Policy.
 
-For example, when [experimental Content Security Policy](/en/reference/experimental-flags/csp/) is enabled, `experimentalStaticHeaders` can be used to add the CSP headers to the `Response` object instead of creating a `<meta>` element:
+For example, when [Content Security Policy](/en/reference/configuration-reference/#securitycsp) is enabled, `experimentalStaticHeaders` can be used to add the CSP headers to the `Response` object instead of creating a `<meta>` element:
 
 ```js title="astro.config.mjs" {10}
 import { defineConfig } from 'astro/config';
 import node from '@astrojs/node';
 
 export default defineConfig({
-  experimental: {
-    csp: true
+  security  csp: true
   },
   adapter: node({
     mode: 'standalone',

src/content/docs/en/guides/integrations-guide/vercel.mdx

@@ -498,14 +498,14 @@ Enables specifying custom headers for prerendered pages in Vercel's configuratio
 
 If enabled, the adapter will save [static headers in the Vercel `vercel.json` file](https://vercel.com/docs/project-configuration#headers) when provided by Astro features, such as Content Security Policy.
 
-For example, when [experimental Content Security Policy](/en/reference/experimental-flags/csp/) is enabled, `experimentalStaticHeaders` can be used to add the CSP `headers` to your Vercel configuration, instead of creating a `<meta>` element:
+For example, when [Content Security Policy](/en/reference/configuration-reference/#securitycsp) is enabled, `experimentalStaticHeaders` can be used to add the CSP `headers` to your Vercel configuration, instead of creating a `<meta>` element:
 
 ```js title="astro.config.mjs" {9}
 import { defineConfig } from 'astro/config';
 import vercel from '@astrojs/vercel';
 
 export default defineConfig({
-  experimental: {
+  security: {
     csp: true
   },
   adapter: vercel({

src/content/docs/en/guides/view-transitions.mdx

@@ -461,7 +461,7 @@ One way to implement this safely is to ensure only a set of known paths can be r
 
 The exact kind of sanitization you need will depend on your site and what you want to allow.
 
-<ReadMore>Consider enabling Astro’s [experimental Content Security Policy feature](/en/reference/experimental-flags/csp/) to help protect against cross-site scripting (XSS) risks if using user input with the `navigate()` API.</ReadMore>
+<ReadMore>Consider enabling Astro’s [Content Security Policy feature](/en/reference/configuration-reference/#securitycsp) to help protect against cross-site scripting (XSS) risks if using user input with the `navigate()` API.</ReadMore>
 
 ## Fallback control
 

src/content/docs/en/reference/adapter-reference.mdx

@@ -1102,7 +1102,7 @@ export default function createIntegration() {
 }
 ```
 
-The value of the headers might change based on the features enabled/used by the application. For example, if [CSP is enabled](/en/reference/experimental-flags/csp/), the `<meta http-equiv="content-security-policy">` element is not added to the static page. Instead, its `content` is available in the `experimentalRouteToHeaders` map. 
+The value of the headers might change based on the features enabled/used by the application. For example, if [CSP is enabled](/en/reference/configuration-reference/#securitycsp), the `<meta http-equiv="content-security-policy">` element is not added to the static page. Instead, its `content` is available in the `experimentalRouteToHeaders` map. 
 
 ## Adapter types reference
 

src/content/docs/en/reference/api-reference.mdx

@@ -1048,3 +1048,162 @@ Loads a session by ID. In normal use, a session is loaded automatically from the
   </TabItem>
 
 </Tabs>
+
+### `csp`
+
+
+<p>
+
+**Type**: `AstroSharedContextCsp`
+<Since v="6.0.0" />
+</p>
+
+Astro's CSP runtime APIs enable support for [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) to help minimize certain types of security threats by controlling which resources a document is allowed to load. This provides additional protection against [cross-site scripting (XSS)](https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting) attacks.
+
+You can customize the `<meta>` element per page from the `Astro` global inside `.astro` components, or the `APIContext` type in endpoints and middleware.
+
+When resources are inserted multiple times or from multiple sources (e.g. defined in your [`csp` config](/en/reference/configuration-reference/#securitycsp) and added using the following CSP runtime APIs, Astro will merge and deduplicate all resources to create your `<meta>` element.
+
+
+#### `insertDirective`
+
+<p>
+
+**Type:** `(directive: CspDirective) => void`<br />
+<Since v="6.0.0" />
+</p>
+
+Adds a single directive to the current page. You can call this method multiple times to add additional directives.
+
+```astro title="src/pages/index.astro"
+---
+Astro.csp.insertDirective("default-src 'self'");
+Astro.csp.insertDirective("img-src 'self' https://images.cdn.example.com");
+---
+```
+
+After the build, the `<meta>` element for this individual page will incorporate your additional directives alongside the existing `script-src` and `style-src` directives:
+
+```html
+<meta
+http-equiv="content-security-policy"
+content="
+  default-src 'self'; 
+  img-src 'self' https://images.cdn.example.com;
+  script-src 'self' 'sha256-somehash';
+  style-src 'self' 'sha256-somehash';
+  "
+>
+```
+
+#### `insertStyleResource`
+
+<p>
+
+**Type:** `(resource: string) => void`<br />
+<Since v="6.0.0" />
+</p>
+
+Inserts a new resource to be used for the `style-src` directive.
+
+```astro title="src/pages/index.astro"
+---
+Astro.csp.insertStyleResource("https://styles.cdn.example.com");
+---
+```
+
+After the build, the `<meta>` element for this individual page will add your source to the default `style-src` directive:
+
+```html
+<meta
+http-equiv="content-security-policy"
+content="
+  script-src 'self' 'sha256-somehash';
+  style-src https://styles.cdn.example.com 'sha256-somehash';
+  "
+>
+```
+
+#### `insertStyleHash`
+
+<p>
+
+**Type:** `(hash: CspHash) => void`<br />
+<Since v="6.0.0" />
+</p>
+
+Adds a new hash to the `style-src` directive.
+
+```astro  title="src/pages/index.astro"
+---
+Astro.csp.insertStyleHash("sha512-styleHash");
+---
+```
+
+After the build, the `<meta>` element for this individual page will add your hash to the default `style-src` directive:
+
+```html
+<meta
+http-equiv="content-security-policy"
+content="
+  script-src 'self' 'sha256-somehash';
+  style-src 'self' 'sha256-somehash' 'sha512-styleHash';
+  "
+>
+```
+
+#### `insertScriptResource`
+
+<p>
+
+**Type:** `(resource: string) => void`<br />
+<Since v="6.0.0" />
+</p>
+
+Inserts a new valid source to be used for the `script-src` directive.
+
+```astro title="src/pages/index.astro"
+---
+Astro.csp.insertScriptResource("https://scripts.cdn.example.com");
+---
+```
+
+After the build, the `<meta>` element for this individual page will add your source to the default `script-src` directive:
+
+```html
+<meta
+http-equiv="content-security-policy"
+content="
+  script-src https://scripts.cdn.example.com 'sha256-somehash';
+  style-src 'self' 'sha256-somehash';
+  "
+>
+```
+
+#### `insertScriptHash`
+
+<p>
+
+**Type:** `(hash: CspHash) => void`<br />
+<Since v="6.0.0" />
+</p>
+
+Adds a new hash to the `script-src` directive.
+
+```astro title="src/pages/index.astro"
+---
+Astro.csp.insertScriptHash("sha512-scriptHash");
+---
+```
+
+After the build, the `<meta>` element for this individual page will add your hash to the default `script-src` directive:
+
+```html
+<meta
+http-equiv="content-security-policy"
+content="
+  script-src 'self' 'sha256-somehash' 'sha512-styleHash';
+  style-src 'self' 'sha256-somehash';
+  "
+>
+```