Content Security Policy img-src hash of data url

Question

I am trying to limit my CSP img-src to the one image I use, which happens to be encoded as a data URL in our css. Something like this:

background-image: url('data:image/svg+xml;utf8,<svg width="14px"...');

I would prefer to not just turn on all data: images by doing "img-src data:", so ideally what I want to do is just use the hash source format:

img-src sha512-SHA_OF_DATA_URL_ABOVE

However, I have not been able to get this to work. I have tried hashing only the actual SVG, as well as including the mime-type and data scheme, with no luck:

> echo -n "<svg width=\"14px\"..." | openssl dgst -sha512 -binary | openssl enc -A -base64 
> echo -n "image/svg+xml;utf8,<svg width=\"14px\"..." | openssl dgst -sha512 -binary | openssl enc -A -base64 
> echo -n "data:image/svg+xml;utf8,<svg width=\"14px\"..." | openssl dgst -sha512 -binary | openssl enc -A -base64 

None of these seem to work when I put them in img-src. Is the hash method just not supported for the I guess weird edge case of data URL images?

Answer 1

CSP2 does implemented hash usage for inline scripts elements(https://www.w3.org/TR/CSP2/#script-src-hash-usage) and inline styles elements (https://www.w3.org/TR/CSP2/#style-src-hash-usage) only.

CSP3 extends usage hashes to external scripts via SRI (https://www.w3.org/TR/CSP3/#external-hash).

The allowance of <img> elements via hashes is not supported, may be in future.