CODEWITHSUNDEEP
nginxcontent-security-policy
Jeremy Farmer
Jeremy Farmer

Reputation: 547

Nginx CSP script hash blocked

I'm having trouble correctly setting up CSP to allow an inline script

I've gotten the hash via chromium's dev tools

The script is this -

<script type="text/javascript">
        var giftofspeed = document.createElement('link');
        giftofspeed.rel = 'stylesheet';
        giftofspeed.href = 'https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900';
        giftofspeed.type = 'text/css';
        var godefer = document.getElementsByTagName('link')[0];
        godefer.parentNode.insertBefore(giftofspeed, godefer);

        var giftofspeed2 = document.createElement('link');
        giftofspeed2.rel = 'stylesheet';
        giftofspeed2.href = 'https://cdn.jsdelivr.net/npm/@mdi/font@latest/css/materialdesignicons.min.css';
        giftofspeed2.type = 'text/css';
        var godefer2 = document.getElementsByTagName('link')[0];
        godefer2.parentNode.insertBefore(giftofspeed2, godefer2);
      </script>

And in my server{} in nginx I have added this

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'sha256-UPjgxNAqTvdVOizbbdMeDkmV6zl3BjVQJ6twL3WH0yE=';";

The way I understand it from this is that should allow that script to bypass CSP and be executed but I still get CSP blocking it (and some other things)

CSP ConsoleErr

I feel like I must be missing something with the setup in Nginx, appreciate any help!

Just wanted to add CSP response headers look correct (I think)-

CSP response headers look correct (I think)

Upvotes: 0

Views: 1601

Answers (1)

Jeremy Farmer
Jeremy Farmer

Reputation: 547

My csp header was set correctly in nginx but was being overridden from my server app, adding that sha hash to the server csp configuration fixed the problem.

Upvotes: 1

Related Questions