Re: CSP: Bad instructions for hash inline-script usage from Scott Bassett on 2019-07-01 (public-webappsec@w3.org from July 2019)

From: Scott Bassett <sbassett@wikimedia.org>
Date: Mon, 1 Jul 2019 11:06:55 -0500
To: kysymysteke <kysymysteke@protonmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAGHy=chc5i0654Zcfk8LiRfi7o=ipeSh=2cKEfrXNd8+71Zonw@mail.gmail.com>

Hello-

I'm not sure you need to wrap the cat statement with echo -n.  This command:

$ cat test.js | sha256sum | xxd -r -p | base64

yields this hash:

agzfwYZgNhXfv33CO487iMvaQ6rs8Yo7m7B9skxHe6U=

and this command (from the w3c.org documentation):

$ cat test.js | openssl dgst -sha256 -binary | openssl enc -base64

yields the same hash:

agzfwYZgNhXfv33CO487iMvaQ6rs8Yo7m7B9skxHe6U=

where the contents of test.js are your snippet:

  var _paq = _paq || [];
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="//piwik.xo.tc/";
    _paq.push(['setTrackerUrl', u+'piwik.php']);
    _paq.push(['setSiteId', 2]);
    var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true;
g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
  })();


On Sun, Jun 30, 2019 at 1:48 PM kysymysteke <kysymysteke@protonmail.com>
wrote:

> Hello
>
> You have instructions here:
>
> https://www.w3.org/TR/CSP2/#script-src-hash-usage
>
> which says to use this command
>
> echo -n "alert('Hello, world.');" | openssl dgst -sha256 -binary | openssl enc -base64
>
> But that example is almost worthless, because almost no one will have a one line of JavaScript.
>
> Please make instructions on how to take the hash of a multiline JavaScript. For example if I have this in a file:
>
> <script type="text/javascript">
>   var _paq = _paq || [];
>   _paq.push(['trackPageView']);
>   _paq.push(['enableLinkTracking']);
>   (function() {
>     var u="//piwik.xo.tc/";
>     _paq.push(['setTrackerUrl', u+'piwik.php']);
>     _paq.push(['setSiteId', 2]);
>     var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
>     g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
>   })();</script>
>
> Source: https://xo.tc/calculating-a-base64-encoded-sha256-sum-of-inline-scripts-for-your-content-security-policy.html
>
> How do I take the hash of that script? I have no idea, even though I have been trying to search for answers.
>
> If I try to do this: "echo -n $(cat FILE_WITH_THE_SCRIPT) | sha256sum | xxd -r -p | base64
>
> it gives the wrong hash.
>
> How do I get the hash of multiline JavaScript easily?
>
> I would appreciate it if you could improve the instructions.
>


-- 
Scott Bassett
sbassett@wikimedia.org

Received on Tuesday, 2 July 2019 07:54:22 UTC