Microsoft Edge not accepting hashes for Content-Security Policy

Question

The problem

Content-Security-Policy should blacklist script and style parsing by default and allow it based on various instructions of which one is verified a hash of the expected output. The browser must fail to implement any Javascript or CSS which has not been given a matching hash in advance. Code with a matching hash should be executed as normal. Microsoft Edge is refusing all JS/CSS in-page blocks.

• Instructions Visit the live demonstration link below in Microsoft Edge, and also in any other browser.

• Live demonstration: http://output.jsbin.com/biqidoqebu

Demonstration original source code

<!doctype html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='; script-src https://ajax.googleapis.com 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc=';" />
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='; script-src https://ajax.googleapis.com 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc=';" />
<style>#loading{color:transparent}#loading:after{color:green;content:"Style loaded."}</style>
</head>
<body>
<span id="loading">Hashes loading...</span>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
<script>alert("Script loaded.")</script>

• Expected behaviour: The body should change to "Style loaded.", an alert box should say "Script loaded.", external Javascript should not throw an error. Console shows no issues.
• Actual behaviour: Body stuck on "Hashes loading...". Hashes refused, external Javascript accepted. Console shows errors:

CSP14304: Unknown source ‘'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='’ for directive ‘style-src’ in - source will be ignored.

CSP14306: No sources given for directive ‘style-src’ for - this is equivalent to using ‘none’ and will prevent the downloading of all resources of this type.

CSP14304: Unknown source ‘'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc='’ for directive ‘script-src’ in - source will be ignored.

CSP14312: Resource violated directive ‘style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='’ in : inline style. Resource will be blocked.

CSP14312: Resource violated directive ‘script-src LINK-REMOVED-INSUFFICIENT-REPUTATION-ON-STACKOVERFLOW-SHOULD-BE-THE-GOOGLE-API-URL 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc='’ in : inline script. Resource will be blocked.

Attempted fixes

• Verifying the hashes are correct: Double-checked calculation was binary, that's about it. Not much to do, other browsers are accepting them.
• Changed values of default-src and connect-src to self rather than none

I can't think of anything else to try.

Update 24 hours later: Added X-Content-Security-Policy for completeness & JSBin URL updated, though it doesn't make a difference to this particular situation.

Answer 1

EDIT: this may be incorrect. See comments above.

IE 11 does not support Content-Security-Policy (only X-Content-Security-Policy), this fails open. IE 12 supports CSP, but does not grok nonces/hashes, it fails closed... unless you also supply 'unsafe-inline' in a Content-Security-Policy header.

CSP level 2 says "if a hash or nonce is supplied, ignore 'unsafe-inline'." this is for backwards compatibility since older browsers will grok the 'unsafe-inline' but not the nonces/hashes. See http://www.w3.org/TR/CSP2/#directive-script-src

Answer 2

http://caniuse.com/#feat=contentsecuritypolicy

http://caniuse.com/#feat=contentsecuritypolicy2

IE Edge does not support Content Security Policy Level 2, and hash-source belongs to level 2.