javascript - Microsoft Edge not accepting hashes for Content-Security Policy -

-

the problem

content-security-policy should blacklist script , style parsing default , allow based on various instructions of 1 verified hash of expected output. browser must fail implement javascript or css has not been given matching hash in advance. code matching hash should executed normal. microsoft edge refusing js/css in-page blocks.

demonstration original source code

<!doctype html> <html> <head> <meta charset="utf-8" /> <meta http-equiv="content-security-policy" content="default-src 'self'; style-src 'sha256-jtuhvm7uqo2kx5iegwxn+rheyzzsyfelfo2gxvyeuwa='; script-src https://ajax.googleapis.com 'sha256-izzrsbzugxfoatdnb/e6rqbssyxqrp7w8ytzd2wg/rc=';" /> <meta http-equiv="x-content-security-policy" content="default-src 'self'; style-src 'sha256-jtuhvm7uqo2kx5iegwxn+rheyzzsyfelfo2gxvyeuwa='; script-src https://ajax.googleapis.com 'sha256-izzrsbzugxfoatdnb/e6rqbssyxqrp7w8ytzd2wg/rc=';" /> <style>#loading{color:transparent}#loading:after{color:green;content:"style loaded."}</style> </head> <body> <span id="loading">hashes loading...</span> <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script> <script>alert("script loaded.")</script>
  • expected behaviour: body should change "style loaded.", alert box should "script loaded.", external javascript should not throw error. console shows no issues.
  • actual behaviour: body stuck on "hashes loading...". hashes refused, external javascript accepted. console shows errors:

csp14304: unknown source ‘'sha256-jtuhvm7uqo2kx5iegwxn+rheyzzsyfelfo2gxvyeuwa='’ directive ‘style-src’ in - source ignored.

csp14306: no sources given directive ‘style-src’ - equivalent using ‘none’ , prevent downloading of resources of type.

csp14304: unknown source ‘'sha256-izzrsbzugxfoatdnb/e6rqbssyxqrp7w8ytzd2wg/rc='’ directive ‘script-src’ in - source ignored.

csp14312: resource violated directive ‘style-src 'sha256-jtuhvm7uqo2kx5iegwxn+rheyzzsyfelfo2gxvyeuwa='’ in : inline style. resource blocked.

csp14312: resource violated directive ‘script-src link-removed-insufficient-reputation-on-stackoverflow-should-be-the-google-api-url 'sha256-izzrsbzugxfoatdnb/e6rqbssyxqrp7w8ytzd2wg/rc='’ in : inline script. resource blocked.

attempted fixes

  • verifying hashes correct: double-checked calculation binary, that's it. not do, other browsers accepting them.
  • changed values of default-src , connect-src self rather none

i can't think of else try.

update 24 hours later: added x-content-security-policy completeness & jsbin url updated, though doesn't make difference particular situation.

edit: may incorrect. see comments above.

ie 11 not support content-security-policy (only x-content-security-policy), fails open. ie 12 supports csp, not grok nonces/hashes, fails closed... unless supply 'unsafe-inline' in content-security-policy header.

csp level 2 says "if hash or nonce supplied, ignore 'unsafe-inline'." backwards compatibility since older browsers grok 'unsafe-inline' not nonces/hashes. see http://www.w3.org/tr/csp2/#directive-script-src


Comments

Post a Comment

Popular posts from this blog

qt - Using float or double for own QML classes -

-
i've created components , helper methods using c++ , qt used in qml gui. of methods calculate gui elements (size, transformations, scene graph items creation). target arm 32 bit using opengl / eglfs render output. opengl using float , qml using real (defined double ). what should use in c++ do not lose precision? if use qreal ( double ) shouldn't lose precision. if git grep float in qtbase.git , can find out bit more: dist/changes-5.2.0-**************************************************************************** dist/changes-5.2.0-* important behavior changes * dist/changes-5.2.0-**************************************************************************** dist/changes-5.2.0- dist/changes-5.2.0- - qt compiled qreal typedef'ed double on dist/changes-5.2.0: platforms. qreal float on arm chipsets before. guarantees more dist/changes-5.2.0- consistent behavior between platforms qt supports, binary dist/chan...
Read more

Create Outlook appointment via C# .Net -

-
i need create outlook appointment using microsoft.office.interop.outlook , while can work locally on own workstation , works if run web application via server's browser, not work when connect server externally. hence, think might permission issue. i changed application pool identity " localsystem " don't access denied error. unfortunately, doesn't work. the app behaves if appointment created, appointment doesn't appear in outlook. here include file on top of aspx.cs page using outlook = microsoft.office.interop.outlook; here code using pop appointment. outlook.application apptapp = new outlook.application(); outlook.appointmentitem appt = apptapp.createitem(outlook.olitemtype.olappointmentitem) outlook.appointmentitem; appt.subject = txtfirstname.text + " " + txtlastname.text; appt.body = txtcomment.text; appt.alldayevent = false; appt.start = datetime.parse(txtreminderdate.text + " 8:00 am"); appt.end = datetime.p...
Read more

ios - Swift Array Resetting Itself -

-
i have 2 arrays: pointhistory , datehistory . have nstimer , , when timer runs out, action called. in action appending int pointhistory , , current date string datehistory . here timer action: func timeraction() { let steppervalue = int(stepper.value) employee.numberofpoints = steppervalue networking.saveemployee(employee, completion: { (error) -> void in if error != nil { let alert = uialertcontroller(title: "error", message: "there error updating \(self.employee.name)'s points", preferredstyle: .alert) let alertaction = uialertaction(title: "ok", style: .cancel, handler: nil) alert.addaction(alertaction) self.presentviewcontroller(alert, animated: true, completion: nil) } }) var dateformatter = nsdateformatter() dateformatter.dateformat = "mm-dd-yyyy" dateformatter.timezone = nstimezone.localtimezone() var date = nsdate() var ...
Read more