如何允许使用“不安全哈希”在 CSP 中执行内联事件处理程序

Question

We are trying to enable Content Security Policy to prevent XSS, so we put the script-src 'self' in order to avoid inline scripts. However our application is using a third party javascript library that has inline event handler.

We read that adding the unsafe-hashes attribute with a sha256 hash in order to allow this specific library to execute inline events:

We added the following policy in the web.cofig:

However is giving us the following error in Google Chrome browser console:

maskedinput.js:7 Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src-attr 'unsafe-hashes' 'sha256-TS+Ok6crNR4qdKYT6T5jwMHjsPdCzbg7dmT0eWCSN20='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

Any idea how to avoid inline script, but at the same time allowing this specific library to run inline events.

Answer 1

You can use the unsafe-hashes like so. Let's say you have:

<button type="button" onclick="alert('Hello World')">Show Alert</button>

then you can use this command to generate your hash:

echo -n "alert('Hello World')" | openssl dgst -sha256 -binary | openssl base64

and then you should use it like:

Content-Security-Policy: script-src 'unsafe-hashes' 'sha256-YOUR_HASH_HERE';

in this case the hash YOUR_HASH_HERE would be: ztv5rbjekwogmr7erW0rKA6H3gY4jEFwwdz2cl8bk1I=