Whitelisting inline script with csp sha-256 in firefox
Solution 1
It will work if you change the hash value as in the following:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
content="script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='">
<title>Hello CSP</title>
</head>
<body>
<script type="text/javascript">var inline = 1;</script>
</body>
</html>
Not sure why you were seeing the behavior in Chrome you describe; when I test the example in the question in Chrome, it blocks the script and emits an error message saying to use the hash value sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=
.
And https://report-uri.io/home/hash also outputs that value when given var inline = 1;
.
Solution 2
I couldn't put this one completely to rest since there was obviously something strange and confusing going on. And I discovered something interesting:
- Take a valid sha-256 that works for Chrome and Firefox.
- Replace each
+
with-
, and each/
with_
.
Voila! You have a checksum that works with Chrome but not Firefox. Judging by the Base64 variants, this format is not unreasonable.
It turns out that the Dartium browser, based on Chrome 45, emits the checksum in the "alternative format," which is likely how it got onto my clipboard.
This only works with Chrome:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-LqkgOOr2rKDFd7Yl4hZ4H8nB0Stbc-RDo573pA7E/XU='">
<title>Hello CSP</title>
<script type="text/javascript">alert("running");</script>
</head>
</html>
Related videos on Youtube
mdemonic
Updated on June 04, 2022Comments
-
mdemonic almost 2 years
I can not get whitelisting by checksum to work in firefox (52.0.2, windows). Firefox supports content security policy version 2 according to caniuse, so checksumming should be supported.
When chrome blocks an inline script, it prints the needed sha-256 to console. Adding it to the csp rules successfully whitelists the script. The checksum is also identical to the one calculated at https://report-uri.io/home/hash
But firefox refuse to accept it.
I noted that the example in the MDN docs is using base-16 as opposed to base-64 encoding for the checksum. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
But even with the MDN example I get the same results. (Also chrome rejects with the base-16 encoding). I tried a bunch of variations on the following:
<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'"> <title>Hello CSP</title> </head> <body> <script type="text/javascript">var inline = 1;</script> </body> </html>
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'”). Source: var inline = 1;.