Skip to content
Advertisement

Whitelisting inline script with csp sha-256 in firefox

I can not get whitelisting by checksum to work in firefox (52.0.2, windows). Firefox supports content security policy version 2 according to caniuse, so checksumming should be supported.

When chrome blocks an inline script, it prints the needed sha-256 to console. Adding it to the csp rules successfully whitelists the script. The checksum is also identical to the one calculated at https://report-uri.io/home/hash

But firefox refuse to accept it.

I noted that the example in the MDN docs is using base-16 as opposed to base-64 encoding for the checksum. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

But even with the MDN example I get the same results. (Also chrome rejects with the base-16 encoding). I tried a bunch of variations on the following:

<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <meta http-equiv="Content-Security-Policy"
          content="script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'">
    <title>Hello CSP</title>
</head>
<body>
    <script type="text/javascript">var inline = 1;</script>
</body>
</html>

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src ‘sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f’”). Source: var inline = 1;.

Advertisement

Answer

It will work if you change the hash value as in the following:

<!DOCTYPE html>
<html>
<head>
  <meta charset="UTF-8">
  <meta http-equiv="Content-Security-Policy"
        content="script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='">
  <title>Hello CSP</title>
</head>
<body>
  <script type="text/javascript">var inline = 1;</script>
</body>
</html>

Not sure why you were seeing the behavior in Chrome you describe; when I test the example in the question in Chrome, it blocks the script and emits an error message saying to use the hash value sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=.

And https://report-uri.io/home/hash also outputs that value when given var inline = 1;.

User contributions licensed under: CC BY-SA
8 People found this is helpful
Advertisement