- From: kysymysteke <kysymysteke@protonmail.com>
- Date: Sat, 29 Jun 2019 17:17:31 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <fYWX2mH-lgVdKC_cwNjABHDl41gScofeZFnRmlUHy-vVB1mLYimKtVrIuWmfTFiUZzul2iZy_umIxf2>
Hello
You have instructions here:
https://www.w3.org/TR/CSP2/#script-src-hash-usage
which says to use this command
echo -n "alert('Hello, world.');" | openssl dgst -sha256 -binary | openssl enc -base64
But that example is almost worthless, because almost no one will have a one line of JavaScript.
Please make instructions on how to take the hash of a multiline JavaScript. For example if I have this in a file:
<
script
type
=
"text/javascript"
>
var
_paq
=
_paq
||
[];
_paq
.
push
([
'trackPageView'
]);
_paq
.
push
([
'enableLinkTracking'
]);
(
function
()
{
var
u
=
"//piwik.xo.tc/"
;
_paq
.
push
([
'setTrackerUrl'
,
u
+
'piwik.php'
]);
_paq
.
push
([
'setSiteId'
,
2
]);
var
d
=
document
,
g
=
d
.
createElement
(
'script'
),
s
=
d
.
getElementsByTagName
(
'script'
)[
0
];
g
.
type
=
'text/javascript'
;
g
.
async
=
true
;
g
.
defer
=
true
;
g
.
src
=
u
+
'piwik.js'
;
s
.
parentNode
.
insertBefore
(
g
,
s
);
})();
</
script
>
Source:
https://xo.tc/calculating-a-base64-encoded-sha256-sum-of-inline-scripts-for-your-content-security-policy.html
How do I take the hash of that script? I have no idea, even though I have been trying to search for answers.
If I try to do this: "echo -n $(cat FILE_WITH_THE_SCRIPT) | sha256sum | xxd -r -p | base64
it gives the wrong hash.
How do I get the hash of multiline JavaScript easily?
I would appreciate it if you could improve the instructions.
Received on Sunday, 30 June 2019 18:46:26 UTC