: Cannot get Content-Security-Policy to work I'm trying to implement CSP, but cannot make the script-src work correctly. I strongly want to avoid unsafe-inline, but all attempts to circumvent this

@Smith883

Posted in: #Security

I'm trying to implement CSP, but cannot make the script-src work correctly. I strongly want to avoid unsafe-inline, but all attempts to circumvent this by using sha256 hashes seem to fail.

This is what happens: Several <a>tags on the page are being modified by javascript after loading (the modifying javascript is an external file from selfand is accepted and correctly executed). This javascript does the following to such an <a> tag:

MyAElement.href="javascript:void(0);";
MyAElement.onclick=function(){showpart(this);}
MyAElement.onfocus=function(){showpart(this);}


(where showpart is defined in the aforementioend external javascript file).
When I click on such a modified link, I get a CSP violation report.
What confuses me slightly is that even if I temporarily use Content-Securtity-Policy: and not just Content-Securtity-Policy-Report-Only:, the website seems to function alright. I conclude that it is in fact the javascript:void(0); that triggers the error.

It should be possible to get rid of the error by supplying a suitable hash.
I tried both
#echo -n "javascript:void(0);" | openssl dgst -binary -sha256 | base64


and
#echo -n "void(0);" | openssl dgst -binary -sha256 | base64


but without success (i.e. even with script-src containing

'sha256-kbHtQyYDQKz4SWMQ8OHVol3EC0t3tHEJFPCSwNG9NxQ='
'sha256-Deekn20h+++EarpL0nFQLX7JSJv7s/2W9f988ZFAh14='


) the message still occurs.

What am I doing wrong?

Vote Up Vote Down

Login to post a comment!