loading local stylesheets without self source

[nizos]

I am encountering difficulties loading local stylesheets using the style-src-elem directive without including self as a source when using default-src 'none'.

Here is a simple example of the issue:

<link rel="stylesheet" href="style.css">

This setup fails to load when using the following CSP configuration:

add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src-elem 'sha256-B8tJV5ov4F69yB5NT1X1BQfMTYEq3RAfk1edjTXJQcF=';";

I have tried adding the integrity attribute, but it did not resolve the issue.

I tested with both Chrome and Firefox and encountered the same issue on both. The stylesheet gets blocked due to CSP violations.

Is it possible to load a local stylesheet without whitelisting 'self' as a source? Of so, what am i missing in my configuration?

I have set up a repository that replicates this behavior for testing:
https://github.com/nizos/csp-docker

Any guidance or clarification on whether this is expected behavior according to the CSP spec is greatly appreciated.

Thanks in advance!

[gapple]

It looks like you have a minor typo in your hash, but that's not the source of the issue

sha256-B8tJV5ov4F69yB5NT1X1BQfMTYEq3RAfk1edjTXJQcF=
sha256-B8tJV5ov4F69yB5NT1X1BQfMTYEq3RAfk1edjTXJQck=

From the spec, only the script matching algorithm includes "Does integrity metadata match source list?", so the spec would need a change to also permit external style resources by integrity hash.

The hash for external scripts is only checked if the <script> element includes an integrity attribute.

[nizos]

Hi Geoff!

Good catch! I was probably testing and forgot to revert the change.

Thanks for the reference! :)