-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix or remove support for automatically-computed CSP hashes #432
Comments
@chongfai13 you should be able to add those values directly into your config. There's also an automated tool for dynamically applying specific hashes but I'm not sure anyone uses it https://github.com/github/secure_headers/blob/master/docs/hashes.md |
Hi Oreoshake Thanks for your reply, we have followed the instructions but unfortunately it’s not working. Can you advise or perhaps show me the steps? |
@chongfai13 Can you provide more details about what is not working? Did the rake task execute? Are the hashes being generated ( |
Hi Oreshake, yes, the file config/secure_headers_generated_hashes.yml is generated with the content: (three dashes) and these hashes not included in the header. Please help |
And you have raw |
Hi Oreoshake, sorry for late reply, you may see my source code here: https://github.com/chongfai13/secure_headers I have successfully made the hashes, question: How do I set it at the headers? I wish to create like this: Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src |
Hi @chongfai13 it looks like that test repo is enough for to me to look into this, thanks for putting that together. Unfortunately, I'm very busy so it may be some time before I can get to it. I've set a reminder so I (hopefully) won't forget. |
I think the script will calculate a wrong value if the inline code is in a .html.erb file, even if the javascript code is static. In my case it looks like this
If I insert the sha256 from the error message into the yml, it works fine. But the generate_hashes task will generate a different sha256 that will not work. |
Hello, it has been some time since our last communication and I'm not sure we arrived at a solution or debugging situation. The script hash support was primarily built to support inclusion of the script hash feature of CSP 2. Personally, I have never used it. It has tests. I have tested it. But it hasn't been proved in production AFAIK. I've updated the title to reflect that this feature needs to be first-class or removed. Anything in between is detrimental to the library, specification, and person trying to use it. |
I am also seeing this right now. |
Investigating a little further, the issue appears to be a difference in how the hash is computed when the |
Thanks for digging in to this. That seems like a pretty bad limitation of the current implementation. But that also sounds like it would be easy to fix (and test :smile). |
Version 6.3.3 was released with @rahearn's fixes to hash generation. Maybe that fixes the problems reported here? |
Hi there
I would like to create random hashes from the inline script by using sha256 like the following results:
Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='
Appreciate for your kind asist.
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
The text was updated successfully, but these errors were encountered: