Add 'unsafe-inline' when adding hashes

papandreou / seespee

Create a Content-Security-Policy for a website based on the statically detectable relations

BSD 3-Clause "New" or "Revised" License

75 stars 4 forks source link

Add 'unsafe-inline' when adding hashes #2

Closed papandreou closed 8 years ago

papandreou commented 8 years ago

For interop with CSP1 compliant browsers:

$ seespee https://lodash.com/
Content-Security-Policy: default-src 'none'; img-src 'self' data:; style-src 'self'; script-src 'self' 'sha256-85RLtUiAixnqFeQvOtsiq5HBnq4nAgtgmrVVlIrEwyk=' 'sha256-9gJ3aNComH+MFu3rw5sARPpvBPOF0VxLUsw1xjxmVzE=' 'sha256-euGdatRFmkEGGSWO0jbpFAuN5709ZGDaFjCqNnYocQM='

In this case 'unsafe-inline' should be added to the script-src directive.

papandreou commented 8 years ago

Fixed in 81f89d8, released in 1.7.0.

jdalton commented 8 years ago

🤘

By the way in a csp validator I'm getting a warning like:

The 'unsafe-inline' keyword-source has no effect in source lists that contain hash-source or nonce-source.

papandreou commented 8 years ago

Then that validator doesn't take CSP level 1 compliant browsers into account (Edge 13+14, Safari 8+9+9.1). They would block your inline script(s) if you didn't list 'unsafe-inline'.

jdalton commented 8 years ago

Ah nice! Thanks for the clarification.