New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 923954 link

Starred by 1 user
Status: Untriaged
Owner: ----
Cc:
andypaicu@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

CSP3 'script-src-attr' does not support hashes

Project Member Reported by a...@google.com, Yesterday (32 hours ago) 
Chrome Version: 73.0.3673.0
OS: Linux

I'm ~99% sure this is just not yet implemented, but I figured I'd file a bug just in case: while script-src-attr can be used to allow all inline event handlers by setting 'unsafe-inline', it does not accept hashes.

Example: 
<head>
    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'sha256-pl1QZw3KJ2dmQHup5fd4JxA8ckevO4yaR6GsuN7aB3U='; script-src-attr 'sha256-pl1QZw3KJ2dmQHup5fd4JxA8ckevO4yaR6GsuN7aB3U='">
</head>

<body onload='alert(document.currentScript)'>
<script>alert(document.currentScript)</script>
</body>

In this document, the inline script will be blessed by the hash, but the same script inside the `onload' attribute (with the same hash) will be blocked. In order to provide developers with a way to allow only a set of trusted inline script values, script-src-attr would have to support hashes.

Cheers!
-Artur

Comment 1 by a...@google.com, Yesterday (32 hours ago)

Summary: CSP3 'script-src-attr' does not support hashes (was: CSP3 'script-src-attr' cannot)

Sign in to add a comment