I'm trying to write a Content Security Policy that is actually secure. The project loads a single script which then jumpstarts the rest of the application. For some reason I'm having a lot of issues getting hash with integrity to work, as the policy blocks the script regardless of the hash being calculated correctly. So I'm trying to use script-src-elem 'self'.
The current policy I have looks like this:
script-src 'strict-dynamic' 'unsafe-inline' http: https:; script-src-elem 'self' 'sha384-{SHASUM}';
What I understand is that this should block any inline script because of 'strict-dynamic' but is backwards compatible in case a browser only supports CSP2. But the script-scr-elem part would allow to load scripts that are part of the same origin or have the expected hash (in case it comes from a CDN). Would a policy like this be considered secure?
