W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2019

CSP: Bad instructions for hash inline-script usage

From: kysymysteke <kysymysteke@protonmail.com>
Date: Sat, 29 Jun 2019 17:17:31 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <fYWX2mH-lgVdKC_cwNjABHDl41gScofeZFnRmlUHy-vVB1mLYimKtVrIuWmfTFiUZzul2iZy_umIxf2Y4W07I11ahCQd7mYPqCtvyDXjCr4=@protonmail.com>
Hello

You have instructions here:

https://www.w3.org/TR/CSP2/#script-src-hash-usage

which says to use this command

echo -n "alert('Hello, world.');" | openssl dgst -sha256 -binary | openssl enc -base64

But that example is almost worthless, because almost no one will have a one line of JavaScript.

Please make instructions on how to take the hash of a multiline JavaScript. For example if I have this in a file:

<

script

type

=

"text/javascript"

>

var

_paq

=

_paq

||

[];

_paq

.

push

([

'trackPageView'

]);

_paq

.

push

([

'enableLinkTracking'

]);

(

function

()

{

var

u

=

"//piwik.xo.tc/"

;

_paq

.

push

([

'setTrackerUrl'

,

u

+

'piwik.php'

]);

_paq

.

push

([

'setSiteId'

,

2

]);

var

d

=

document

,

g

=

d

.

createElement

(

'script'

),

s

=

d

.

getElementsByTagName

(

'script'

)[

0

];

g

.

type

=

'text/javascript'

;

g

.

async

=

true

;

g

.

defer

=

true

;

g

.

src

=

u

+

'piwik.js'

;

s

.

parentNode

.

insertBefore

(

g

,

s

);

})();

</

script

>

Source:
https://xo.tc/calculating-a-base64-encoded-sha256-sum-of-inline-scripts-for-your-content-security-policy.html

How do I take the hash of that script? I have no idea, even though I have been trying to search for answers.

If I try to do this: "echo -n $(cat FILE_WITH_THE_SCRIPT) | sha256sum | xxd -r -p | base64

it gives the wrong hash.

How do I get the hash of multiline JavaScript easily?

I would appreciate it if you could improve the instructions.
Received on Sunday, 30 June 2019 18:46:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:06 UTC