Menu
I can not get whitelisting by checksum to work in firefox (52.0.2, windows). Firefox supports content security policy version 2 according to caniuse, so checksumming should be supported.
When chrome blocks an inline script, it prints the needed sha-256 to console. Adding it to the csp rules successfully whitelists the script. The checksum is also identical to the one calculated at https://report-uri.io/home/hash
But firefox refuse to accept it.
I noted that the example in the MDN docs is using base-16 as opposed to base-64 encoding for the checksum. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
But even with the MDN example I get the same results. (Also chrome rejects with the base-16 encoding). I tried a bunch of variations on the following:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
content="script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'">
<title>Hello CSP</title>
</head>
<body>
<script type="text/javascript">var inline = 1;</script>
</body>
</html>
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'”). Source: var inline = 1;.
356
To allow inline scripts and inline event handlers, 'unsafe-inline' , a nonce-source or a hash-source that matches the inline block can be specified. Alternatively, you can create hashes from your inline scripts. CSP supports sha256, sha384 and sha512.
As you might guess it is generally unsafe to use unsafe-inline . The unsafe-inline keyword annuls most of the security benefits that Content-Security-Policy provide. When someone requests that URL the bad-stuff. js will execute.
Allow Inline Style Attribute using a hashEither the 'unsafe-inline' keyword, a hash ('sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='), or a nonce ('nonce-...') is required to enable inline execution.
It will work if you change the hash value as in the following:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
content="script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='">
<title>Hello CSP</title>
</head>
<body>
<script type="text/javascript">var inline = 1;</script>
</body>
</html>
Not sure why you were seeing the behavior in Chrome you describe; when I test the example in the question in Chrome, it blocks the script and emits an error message saying to use the hash value sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=.
And https://report-uri.io/home/hash also outputs that value when given var inline = 1;.
86
I couldn't put this one completely to rest since there was obviously something strange and confusing going on. And I discovered something interesting:
+ with -, and each / with _.Voila! You have a checksum that works with Chrome but not Firefox. Judging by the Base64 variants, this format is not unreasonable.
It turns out that the Dartium browser, based on Chrome 45, emits the checksum in the "alternative format," which is likely how it got onto my clipboard.
This only works with Chrome:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-LqkgOOr2rKDFd7Yl4hZ4H8nB0Stbc-RDo573pA7E/XU='">
<title>Hello CSP</title>
<script type="text/javascript">alert("running");</script>
</head>
</html>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With