Reputation: 23
CSP violation with hash
I have a JS file which that us being imported by
<script src="https://example.com/file.js"/>
and I have a CSP policy with the hash that is generated when I paste the output of this file in: https://report-uri.com/home/hash
But I still get an error saying it violates this SHA256 checksum. What am I doing wrong? isn't that suppose to have the checksum of the file?
Upvotes: 2
Views: 1057
Answers (2)
Reputation: 8496
report-uri.comdo not calculate hashes for external scripts, it's intended for strings only. Therefore it just calc hash from string of file_name entered but not from file content.
Right hashes for external files can be calculated, for example, here.
And do not fogtet to add theintegrity=attribute to<script src='...' integrity='...'>.Be careful, Mozilla Firefox does not support hash-sources for external scripts, but for inline only.
Safari - the same as Firefox (at least Safari 12.1.1).The
'strict-dynamic'token is not widely supported too as on December 2020
Upvotes: 0
Reputation: 3455
Hash for external files is only supported in CSP level 3, https://www.w3.org/TR/CSP3/#external-hash. Many browsers still only support level 2.
For CSP level 2 browsers you will need to include the actual host names such as example.com. You can achieve the same whitelisting of script with subresource integrity (SRI hash).
Upvotes: 1
Related Questions
- Chrome not reporting CSP violations
- Nginx CSP script hash blocked
- In CSP header Chrome says my single quoted sha256 hash contains invalid characters but this looks incorrect
- Sha hash not respected in CSP style-src
- Whats wrong with my CSP? Content Security Policy (CSP) implemented unsafely
- CSP: frame-src violation with empty blocked-uri
- Getting content security policy error while hash is included
- CSP header not detected
- What should I do if I get an empty CSP violation?
- Strange CSP error in Firefox