I can not get whitelisting by checksum to work in firefox (52.0.2, windows). Firefox supports content security policy version 2 according to caniuse, so checksumming should be supported.
When chrome blocks an inline script, it prints the needed sha-256 to console. Adding it to the csp rules successfully whitelists the script. The checksum is also identical to the one calculated at https://report-uri.io/home/hash
But firefox refuse to accept it.
I noted that the example in the MDN docs is using base-16 as opposed to base-64 encoding for the checksum. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
But even with the MDN example I get the same results. (Also chrome rejects with the base-16 encoding). I tried a bunch of variations on the following:
<!DOCTYPE html><html><head> <meta charset="UTF-8"> <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'"> <title>Hello CSP</title></head><body> <script type="text/javascript">var inline = 1;</script></body></html>Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src ‘sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f’”). Source: var inline = 1;.
Advertisement
Answer
It will work if you change the hash value as in the following:
<!DOCTYPE html><html><head> <meta charset="UTF-8"> <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='"> <title>Hello CSP</title></head><body> <script type="text/javascript">var inline = 1;</script></body></html>Not sure why you were seeing the behavior in Chrome you describe; when I test the example in the question in Chrome, it blocks the script and emits an error message saying to use the hash value sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=.
And https://report-uri.io/home/hash also outputs that value when given var inline = 1;.