1

Getting

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-UTjtaAWWTyzFjRKbltk24jHijlTbP20C1GUYaWPqg7E=' 'sha256-lAjyGSIzNSfpcl56itQltlKnBClAWcbXqXwsWgwPBDM=' 'sha256-IQ1w928Id2I18HopWjf2QH1yWRabHjMmdIigddkJsjk=' 'sha256-gx2qS9lINA9HjEhSBFaGgUjlVL1GCqJxyGoHpGODeo8=' 'sha256-nFZFLbV913URty3kcgmuV3NUKJUM9TYhEZ+OkHy6DxU=' 'sha256-xfnLUXCYTisGE0l0rOaR+OgO5EG+uV25p4QNcjB5dWg=' 'sha256-TUXjxBhzs16+YXaJCnt/+EyyEldkUoAz/SvQCm05hFw=' blob:". Either the 'unsafe-inline' keyword, a hash ('sha256-gx2qS9lINA9HjEhSBFaGgUjlVL1GCqJxyGoHpGODeo8='), or a nonce ('nonce-...') is required to enable inline execution.

Note however, that the hash it wants me to add, is already present.

Using the latest Chrome.

What is the problem with my CSP header?

Chuck Le Butt
  • 47,570
  • 62
  • 203
  • 289
HelloWorld
  • 3,381
  • 5
  • 32
  • 58

2 Answers2

1

You was catched by a tricky way. There is 2 kinds of inline styles:

  1. < style>...< /style> - supports 'hash-value' token
  2. < tag style='...'> - does not support 'hash-value' token

But Chrome counts sha256 values for both of those, because it prepares to support 'unsafe-hashes' token (but not implemented it yet is is implemented, sorry). Chrome's console messages have not differences between both of above styles, all considered as inline.

So you have somewhere in HTML-code an inline style in the tag (para 2). Chrome counted sha256 hash for it and fired a warn in the console. You add this hash to the CSP but still have a warning, because style in the tag have blocked - it could not be allowed via 'hash-value'.

granty
  • 7,234
  • 1
  • 14
  • 21
0

You can use the CSP Level 3 'unsafe-hashes' directive (browser support) in conjunction with the hashes. The hashes don't seem to work for inline styles without it.

Warning

Whenever you see the prefix unsafe in a CSP keyword, that means that using this is not the most secure way to go.

'unsafe-hashes' will not only allow the inline style to be applied on your elements, but also on any element injected by an attacker. A better approach is to move the styles in a CSS file.

borisdiakur
  • 10,387
  • 7
  • 68
  • 100