Home > Software engineering >  CSP style-src SHA256 present, but browser issues warning that it isn't
CSP style-src SHA256 present, but browser issues warning that it isn't

Time:12-24

I've added the following CSP to my nginx configuration:

add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src *.gravatar.com; script-src-elem 'self' 'sha256-HeezHnLPgcw5524/5YMbWWQXJ/fdKZsQX5vG7t1UmJw=' 'sha256-FVzC2JpGNv45prICvPCadmKf wnLz6Eem3UQaAnTK/4=' 'sha256-Tr3bLHN4KJG2A/qFIDTX Yb0nG Z HS9VAD6k0/r vY=' 'sha256-NYk7Q8DQLjjJRwkQ9oG2juhRXSdsOjLWMy0IpXWymRc=' 'sha256-pu6oe0vPSMzzITPF3U0Z8qBWhbBKykixk7D9kFsDySY='; script-src-attr 'self'; style-src 'sha256-0EZqoz oBhx7gF4nvY2bSqoGyy4zLjNF SDQXGp/ZrY='; style-src-elem 'self' 'sha256-OyKg6OHgnmapAcgq002yGA58wB21FOR7EcTwPWSs54E=' 'sha256-CK/6NyEbsJb3V2Bo26t3s0V3RAi3gTWWrjUNGLIZLfw=' 'sha256-hc4UHa0RDFRaKgh CLvhy5nf4yco/u xPDeTrTejhg=';";

My browser (Chrome) issues the following warning:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-0EZqoz oBhx7gF4nvY2bSqoGyy4zLjNF SDQXGp/ZrY='". Either the 'unsafe-inline' keyword, a hash ('sha256-0EZqoz oBhx7gF4nvY2bSqoGyy4zLjNF SDQXGp/ZrY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

As you can see the hash style-src 'sha256-0EZqoz oBhx7gF4nvY2bSqoGyy4zLjNF SDQXGp/ZrY=' is present and set, but the browser is saying there's a still a problem.

I can't work this out. Any help?

CodePudding user response:

This is answered well here: Refused to execute inline event handler because it violates CSP. (SANDBOX)

As user27878850 suggests, you could add 'unsafe-hashes', but that would currently only work in Chromium browsers.

  • Related