Open sideshowbarker opened 4 years ago
OK, the https://alfchen.de/ problem can be minimally reproduced with the following (invalid) policy:
script-src 'sha256- RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=';
Specifically, the exception can be reproduced with any policy containing a hash-source expression which (incorrectly) has whitespace after the hash-algorithm-and-dash prefix and before the base64 hash/digest value itself.
Checking https://alfchen.de/ with Salvation 2.7.2 causes an unexpected exception:
It’s also reproducible with https://cspvalidator.org/ — which claims to be running Salvation 2.6.0:
https://cspvalidator.org/#url=https://alfchen.de/
(I haven’t tested with Salvation 3.0.0, so I don’t know whether it’s reproducible there.)