CSP settings for separate js file

Question

Does script-src parameter using hashes works for inline scripts only?

This config works for for me (inline script in HTML code):

Apache config:

Header set Content-Security-Policy-Report-Only: "script-src  'sha256-U82JgRvGjy4mzia+G8DutvX8V/W33LIoO2UuwT+rE/0='"

HTML code:

<!DOCTYPE html>
<html lang="en">

    <head>
        <meta charset="UTF-8">
        <title>Hello!</title>
    </head>

    <body>
        <h1>Hello World!</h1>
        <p>This is a simple paragraph.</p>
    </body>

    <script>alert('hello everybody')</script>

</html>

where: U82JgRvGjy4mzia+G8DutvX8V/W33LIoO2UuwT+rE/0= is a sha256 hash code of
alert('hello everybody') converted into base64

Once I moved the same script alert('hello everybody') into separate js file test.js and have updated index.html

<!DOCTYPE html>
<html lang="en">

    <head>
        <meta charset="UTF-8">
        <title>Hello!</title>
    </head>

    <body>
        <h1>Hello World!</h1>
        <p>This is a simple paragraph.</p>
    </body>

    <script src="test.js"></script>

</html>

CSP blocking test.js file, however hash for it still the same

[Report Only] Refused to load the script 'http://localhost/test.js' because it violates the following Content Security Policy directive: "script-src 'sha256-U82JgRvGjy4mzia+G8DutvX8V/W33LIoO2UuwT+rE/0='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

What parameter should I use for CSP to allow local js file by hash?

Answer 1

This should allow loading a script from the same source: "script-src 'self';"