Friday, February 23, 2024
 Popular · Latest · Hot · Upcoming
108
rated 0 times [  111] [ 3]  / answers: 1 / hits: 17357  / 7 Years ago, thu, march 30, 2017, 12:00:00

I can not get whitelisting by checksum to work in firefox (52.0.2, windows). Firefox supports content security policy version 2 according to caniuse, so checksumming should be supported.


When chrome blocks an inline script, it prints the needed sha-256 to console.
Adding it to the csp rules successfully whitelists the script.
The checksum is also identical to the one calculated at
https://report-uri.io/home/hash


But firefox refuse to accept it.


I noted that the example in the MDN docs is using base-16 as opposed to base-64 encoding for the checksum.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src


But even with the MDN example I get the same results. (Also chrome rejects with the base-16 encoding). I tried a bunch of variations on the following:


<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
content="script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'">
<title>Hello CSP</title>
</head>
<body>
<script type="text/javascript">var inline = 1;</script>
</body>
</html>


Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'”). Source: var inline = 1;.



More From » firefox

 Answers
135

It will work if you change the hash value as in the following:


<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
content="script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='">
<title>Hello CSP</title>
</head>
<body>
<script type="text/javascript">var inline = 1;</script>
</body>
</html>

Not sure why you were seeing the behavior in Chrome you describe; when I test the example in the question in Chrome, it blocks the script and emits an error message saying to use the hash value sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=.


And https://report-uri.io/home/hash also outputs that value when given var inline = 1;.


[#58335] Monday, March 27, 2017, 7 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
maxinec

Total Points: 117
Total Questions: 116
Total Answers: 116

Location: Bangladesh
Member since Sat, Jan 23, 2021
3 Years ago
maxinec questions
;