Open douglasnaphas opened 5 years ago
I switched to Content-Security-Policy-Report-Only
(on csrfx.com, which I'm using to test out CSPs for passover.lol) because of these errors.
csrfx.com/:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-YnlT5kJd8a5B5C/Wj/sJbSxbvWEdbHfK3AiPPMBAsAM='), or a nonce ('nonce-...') is required to enable inline execution.
csrfx.com/:1 Refused to load manifest from 'https://csrfx.com/manifest.json' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'manifest-src' was not explicitly set, so 'default-src' is used as a fallback.
Something like grep -o -E '<script>.*?</script>' build/index.html
will be needed to get the contents of the inline script, so that I can hash it, so that I can use the CSP hash method for script sources.
Getting the base64-encoded SHA256 hash of the content of a script tag:
ggrep -o -P '(?<=<script>).*?(?=</script>)' build/index.html | tr -d '\n' | openssl dgst -binary -sha256 | base64
This:
$ echo -n 'var inline = 1;' | openssl dgst -binary -sha256 | base64
B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=
agrees with the example on this page of a hash-based script src.
Moreover, the error message for the latest contents of index.html
in CSRFX gives the Base64-encoded SHA256 it is looking for, and this agrees with the command above.
(index):1 [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-NjI3OTUzZTY0MjVkZjFhZTQxZTQyZmQ2OGZmYjA5NmQyYzViYmQ2MTFkNmM3N2NhZGMwODhmM2NjMDQwYjAwMwo='". Either the 'unsafe-inline' keyword, a hash ('sha256-YnlT5kJd8a5B5C/Wj/sJbSxbvWEdbHfK3AiPPMBAsAM='), or a nonce ('nonce-...') is required to enable inline execution.
ggrep -o -P '(?<=<script>).*?(?=</script>)' build/index.html | tr -d '\n' | openssl dgst -binary -sha256 | base64
YnlT5kJd8a5B5C/Wj/sJbSxbvWEdbHfK3AiPPMBAsAM=
Reference