Content-Security-Policy sha256 mistmatch
I'm trying to set a very strict CSP on my site while moving from WordPress to Ghost, and I think I'm missing something very obvious.
I've gone through the documentation and am doing what I think I'm supposed to, but something is not working. My CSP validates on Google's CSP validator, and when I checksum the scripts by doing curl | sha256sum I get the same checksum, that I've added to my policy. However, when browsing the site, the scripts are denied because they don't validate.
I know why the inline scripts aren't loading, because I haven't figured out the nonce part yet, but I figure I'll get to that after I get the main part running.
I'm running the latest NGINX and a brand new Ghost install on Ubuntu 18.04, with MariaDB.
The CSP headers I'm adding to the site are through the NGINX conf file for the site, but are as follows. This is presented below in a readable manner, in my actual NGINX config file everything is on one line because otherwise I get HTTPS protocol errors:
add_header Content-Security-Policy "base-uri 'self' https://beta.robbiecrash.me;
default-src 'self' https://beta.robbiecrash.me;
object-src 'none';
connect-src 'self';
font-src 'self';
frame-src www.youtube.com;
img-src 'self';
script-src 'strict-dynamic'
'sha256-QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY='
'sha256-DfwnDueq8Kk23IWsFe1JOHznwCCIIYaJcBnt+SCv7y8='
'sha256-bj/JlIND2F1ZRARRwS8t4d22whMq5QMxT2rGs/hyGKg='
'sha256-psNZvEVSwudZCmMthmvN/ol/ZqTA/e6EBRnRmxq0gyU='
'sha256-BSJSoYL3U/h9xfMICRiRZw/GId8TxSgDkqr3/yGkXaM='
'sha256-G1YPIho+4GJ3Mx5AW5VrOE1e94MKZDtODCVxibet+Ic='
'sha256-VXclGR1TDdlJWafKXNnziC4NWnKSUF5eCMGLHBXTwOs='
'sha256-ToHDftw1HI6v/zp4y9Ua7GWD/lduxaBPhYXOpJ+pheY='
'sha256-EbIleRp3k4KblfrrVZx2y5CZ6W+uPnYpuvdugay1SLE='
'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='
'sha256-jTGzLAqOAcOL+ALD2f2tvFY7fs6dwkOeo88xiuVHaRk='
'sha256-uURSbWfSLHhi+UpdPjpowvdJK8c/9pV7tbNDEvSL6cM='
'sha256-Ch5rv5tgAdVMCh7Wqb0UOcXkQAHNFSezi+0v/0z6xfw='
'sha256-Cnsy1D8mpJ5y4oRYZnhMnNxD51Cc1hHiQX33Jckfcn0='
'unsafe-inline'
inline: 'self';
style-src
'sha256-N1K43s+8twRa+tzzoF3V8EgssdDiZ6kd9r8Rfgg8kZU='
'sha256-+UKXHR4SMd37yUxqCERfCWTT8gUc3QPJ/UXlvgcE74A='
'sha256-J5oxR0L06zUscYq2mIlVVL5xpZ+Y5NBcit/F+Zh7ei4='
'sha256-Drj3vHAhMI5tuKJTEjwJwQRAsZDcF463bO0KllBipH0='
'sha256-T8cuZtWj79tY0DXOgszGq42DByRWbdRQULuIYGfFx6s='
inline: 'self';
script-src-elem cdnjs.cloudflare.com code.jquery.com inline: 'self';
style-src-attr inline: 'self';
style-src-elem cdnjs.cloudflare.com 'self' inline: 'self';";
For example, the script:
https://beta.robbiecrash.me/public/ghost-sdk.min.js?v=9f1aeb2053
When I curl it, checksums to:
413f453e2956351c7cd63367cf01a0f1a2957ed147b1332ced471d1aa80f1816
Which converts to the following in Base64:
QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY=
Which is the first sha256- entry in my script-src. The site, such as it currently is, can be reached at https://beta.robbiecrash.me
Have I completely misunderstood how CSP is supposed to be setup? Is this because I'm setting the new directives, but not totally filling them out? Chrome reports these directives are ignored because I haven't enabled them in chrome://flags.
javascript nginx
asked Dec 30 '18 at 23:45
Robbie CrashRobbie Crash
2251212
add a comment |
I'm trying to set a very strict CSP on my site while moving from WordPress to Ghost, and I think I'm missing something very obvious.
I've gone through the documentation and am doing what I think I'm supposed to, but something is not working. My CSP validates on Google's CSP validator, and when I checksum the scripts by doing curl | sha256sum I get the same checksum, that I've added to my policy. However, when browsing the site, the scripts are denied because they don't validate.
I know why the inline scripts aren't loading, because I haven't figured out the nonce part yet, but I figure I'll get to that after I get the main part running.
I'm running the latest NGINX and a brand new Ghost install on Ubuntu 18.04, with MariaDB.
The CSP headers I'm adding to the site are through the NGINX conf file for the site, but are as follows. This is presented below in a readable manner, in my actual NGINX config file everything is on one line because otherwise I get HTTPS protocol errors:
add_header Content-Security-Policy "base-uri 'self' https://beta.robbiecrash.me;
default-src 'self' https://beta.robbiecrash.me;
object-src 'none';
connect-src 'self';
font-src 'self';
frame-src www.youtube.com;
img-src 'self';
script-src 'strict-dynamic'
'sha256-QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY='
'sha256-DfwnDueq8Kk23IWsFe1JOHznwCCIIYaJcBnt+SCv7y8='
'sha256-bj/JlIND2F1ZRARRwS8t4d22whMq5QMxT2rGs/hyGKg='
'sha256-psNZvEVSwudZCmMthmvN/ol/ZqTA/e6EBRnRmxq0gyU='
'sha256-BSJSoYL3U/h9xfMICRiRZw/GId8TxSgDkqr3/yGkXaM='
'sha256-G1YPIho+4GJ3Mx5AW5VrOE1e94MKZDtODCVxibet+Ic='
'sha256-VXclGR1TDdlJWafKXNnziC4NWnKSUF5eCMGLHBXTwOs='
'sha256-ToHDftw1HI6v/zp4y9Ua7GWD/lduxaBPhYXOpJ+pheY='
'sha256-EbIleRp3k4KblfrrVZx2y5CZ6W+uPnYpuvdugay1SLE='
'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='
'sha256-jTGzLAqOAcOL+ALD2f2tvFY7fs6dwkOeo88xiuVHaRk='
'sha256-uURSbWfSLHhi+UpdPjpowvdJK8c/9pV7tbNDEvSL6cM='
'sha256-Ch5rv5tgAdVMCh7Wqb0UOcXkQAHNFSezi+0v/0z6xfw='
'sha256-Cnsy1D8mpJ5y4oRYZnhMnNxD51Cc1hHiQX33Jckfcn0='
'unsafe-inline'
inline: 'self';
style-src
'sha256-N1K43s+8twRa+tzzoF3V8EgssdDiZ6kd9r8Rfgg8kZU='
'sha256-+UKXHR4SMd37yUxqCERfCWTT8gUc3QPJ/UXlvgcE74A='
'sha256-J5oxR0L06zUscYq2mIlVVL5xpZ+Y5NBcit/F+Zh7ei4='
'sha256-Drj3vHAhMI5tuKJTEjwJwQRAsZDcF463bO0KllBipH0='
'sha256-T8cuZtWj79tY0DXOgszGq42DByRWbdRQULuIYGfFx6s='
inline: 'self';
script-src-elem cdnjs.cloudflare.com code.jquery.com inline: 'self';
style-src-attr inline: 'self';
style-src-elem cdnjs.cloudflare.com 'self' inline: 'self';";
For example, the script:
https://beta.robbiecrash.me/public/ghost-sdk.min.js?v=9f1aeb2053
When I curl it, checksums to:
413f453e2956351c7cd63367cf01a0f1a2957ed147b1332ced471d1aa80f1816
Which converts to the following in Base64:
QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY=
Which is the first sha256- entry in my script-src. The site, such as it currently is, can be reached at https://beta.robbiecrash.me
Have I completely misunderstood how CSP is supposed to be setup? Is this because I'm setting the new directives, but not totally filling them out? Chrome reports these directives are ignored because I haven't enabled them in chrome://flags.
javascript nginx
asked Dec 30 '18 at 23:45
Robbie CrashRobbie Crash
2251212
add a comment |
I'm trying to set a very strict CSP on my site while moving from WordPress to Ghost, and I think I'm missing something very obvious.
I've gone through the documentation and am doing what I think I'm supposed to, but something is not working. My CSP validates on Google's CSP validator, and when I checksum the scripts by doing curl | sha256sum I get the same checksum, that I've added to my policy. However, when browsing the site, the scripts are denied because they don't validate.
I know why the inline scripts aren't loading, because I haven't figured out the nonce part yet, but I figure I'll get to that after I get the main part running.
I'm running the latest NGINX and a brand new Ghost install on Ubuntu 18.04, with MariaDB.
The CSP headers I'm adding to the site are through the NGINX conf file for the site, but are as follows. This is presented below in a readable manner, in my actual NGINX config file everything is on one line because otherwise I get HTTPS protocol errors:
add_header Content-Security-Policy "base-uri 'self' https://beta.robbiecrash.me;
default-src 'self' https://beta.robbiecrash.me;
object-src 'none';
connect-src 'self';
font-src 'self';
frame-src www.youtube.com;
img-src 'self';
script-src 'strict-dynamic'
'sha256-QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY='
'sha256-DfwnDueq8Kk23IWsFe1JOHznwCCIIYaJcBnt+SCv7y8='
'sha256-bj/JlIND2F1ZRARRwS8t4d22whMq5QMxT2rGs/hyGKg='
'sha256-psNZvEVSwudZCmMthmvN/ol/ZqTA/e6EBRnRmxq0gyU='
'sha256-BSJSoYL3U/h9xfMICRiRZw/GId8TxSgDkqr3/yGkXaM='
'sha256-G1YPIho+4GJ3Mx5AW5VrOE1e94MKZDtODCVxibet+Ic='
'sha256-VXclGR1TDdlJWafKXNnziC4NWnKSUF5eCMGLHBXTwOs='
'sha256-ToHDftw1HI6v/zp4y9Ua7GWD/lduxaBPhYXOpJ+pheY='
'sha256-EbIleRp3k4KblfrrVZx2y5CZ6W+uPnYpuvdugay1SLE='
'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='
'sha256-jTGzLAqOAcOL+ALD2f2tvFY7fs6dwkOeo88xiuVHaRk='
'sha256-uURSbWfSLHhi+UpdPjpowvdJK8c/9pV7tbNDEvSL6cM='
'sha256-Ch5rv5tgAdVMCh7Wqb0UOcXkQAHNFSezi+0v/0z6xfw='
'sha256-Cnsy1D8mpJ5y4oRYZnhMnNxD51Cc1hHiQX33Jckfcn0='
'unsafe-inline'
inline: 'self';
style-src
'sha256-N1K43s+8twRa+tzzoF3V8EgssdDiZ6kd9r8Rfgg8kZU='
'sha256-+UKXHR4SMd37yUxqCERfCWTT8gUc3QPJ/UXlvgcE74A='
'sha256-J5oxR0L06zUscYq2mIlVVL5xpZ+Y5NBcit/F+Zh7ei4='
'sha256-Drj3vHAhMI5tuKJTEjwJwQRAsZDcF463bO0KllBipH0='
'sha256-T8cuZtWj79tY0DXOgszGq42DByRWbdRQULuIYGfFx6s='
inline: 'self';
script-src-elem cdnjs.cloudflare.com code.jquery.com inline: 'self';
style-src-attr inline: 'self';
style-src-elem cdnjs.cloudflare.com 'self' inline: 'self';";
For example, the script:
https://beta.robbiecrash.me/public/ghost-sdk.min.js?v=9f1aeb2053
When I curl it, checksums to:
413f453e2956351c7cd63367cf01a0f1a2957ed147b1332ced471d1aa80f1816
Which converts to the following in Base64:
QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY=
Which is the first sha256- entry in my script-src. The site, such as it currently is, can be reached at https://beta.robbiecrash.me
Have I completely misunderstood how CSP is supposed to be setup? Is this because I'm setting the new directives, but not totally filling them out? Chrome reports these directives are ignored because I haven't enabled them in chrome://flags.
javascript nginx
asked Dec 30 '18 at 23:45
Robbie CrashRobbie Crash
2251212
I'm trying to set a very strict CSP on my site while moving from WordPress to Ghost, and I think I'm missing something very obvious.
I've gone through the documentation and am doing what I think I'm supposed to, but something is not working. My CSP validates on Google's CSP validator, and when I checksum the scripts by doing curl | sha256sum I get the same checksum, that I've added to my policy. However, when browsing the site, the scripts are denied because they don't validate.
I know why the inline scripts aren't loading, because I haven't figured out the nonce part yet, but I figure I'll get to that after I get the main part running.
I'm running the latest NGINX and a brand new Ghost install on Ubuntu 18.04, with MariaDB.
The CSP headers I'm adding to the site are through the NGINX conf file for the site, but are as follows. This is presented below in a readable manner, in my actual NGINX config file everything is on one line because otherwise I get HTTPS protocol errors:
add_header Content-Security-Policy "base-uri 'self' https://beta.robbiecrash.me;
default-src 'self' https://beta.robbiecrash.me;
object-src 'none';
connect-src 'self';
font-src 'self';
frame-src www.youtube.com;
img-src 'self';
script-src 'strict-dynamic'
'sha256-QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY='
'sha256-DfwnDueq8Kk23IWsFe1JOHznwCCIIYaJcBnt+SCv7y8='
'sha256-bj/JlIND2F1ZRARRwS8t4d22whMq5QMxT2rGs/hyGKg='
'sha256-psNZvEVSwudZCmMthmvN/ol/ZqTA/e6EBRnRmxq0gyU='
'sha256-BSJSoYL3U/h9xfMICRiRZw/GId8TxSgDkqr3/yGkXaM='
'sha256-G1YPIho+4GJ3Mx5AW5VrOE1e94MKZDtODCVxibet+Ic='
'sha256-VXclGR1TDdlJWafKXNnziC4NWnKSUF5eCMGLHBXTwOs='
'sha256-ToHDftw1HI6v/zp4y9Ua7GWD/lduxaBPhYXOpJ+pheY='
'sha256-EbIleRp3k4KblfrrVZx2y5CZ6W+uPnYpuvdugay1SLE='
'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='
'sha256-jTGzLAqOAcOL+ALD2f2tvFY7fs6dwkOeo88xiuVHaRk='
'sha256-uURSbWfSLHhi+UpdPjpowvdJK8c/9pV7tbNDEvSL6cM='
'sha256-Ch5rv5tgAdVMCh7Wqb0UOcXkQAHNFSezi+0v/0z6xfw='
'sha256-Cnsy1D8mpJ5y4oRYZnhMnNxD51Cc1hHiQX33Jckfcn0='
'unsafe-inline'
inline: 'self';
style-src
'sha256-N1K43s+8twRa+tzzoF3V8EgssdDiZ6kd9r8Rfgg8kZU='
'sha256-+UKXHR4SMd37yUxqCERfCWTT8gUc3QPJ/UXlvgcE74A='
'sha256-J5oxR0L06zUscYq2mIlVVL5xpZ+Y5NBcit/F+Zh7ei4='
'sha256-Drj3vHAhMI5tuKJTEjwJwQRAsZDcF463bO0KllBipH0='
'sha256-T8cuZtWj79tY0DXOgszGq42DByRWbdRQULuIYGfFx6s='
inline: 'self';
script-src-elem cdnjs.cloudflare.com code.jquery.com inline: 'self';
style-src-attr inline: 'self';
style-src-elem cdnjs.cloudflare.com 'self' inline: 'self';";
For example, the script:
https://beta.robbiecrash.me/public/ghost-sdk.min.js?v=9f1aeb2053
When I curl it, checksums to:
413f453e2956351c7cd63367cf01a0f1a2957ed147b1332ced471d1aa80f1816
Which converts to the following in Base64:
QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY=
Which is the first sha256- entry in my script-src. The site, such as it currently is, can be reached at https://beta.robbiecrash.me
Have I completely misunderstood how CSP is supposed to be setup? Is this because I'm setting the new directives, but not totally filling them out? Chrome reports these directives are ignored because I haven't enabled them in chrome://flags.
javascript nginx
javascript nginx
asked Dec 30 '18 at 23:45
Robbie CrashRobbie Crash
2251212
asked Dec 30 '18 at 23:45
Robbie CrashRobbie Crash
2251212
edited Dec 31 '18 at 4:31
Robbie Crash
asked Dec 30 '18 at 23:45
Robbie CrashRobbie Crash
2251212
asked Dec 30 '18 at 23:45
Robbie CrashRobbie Crash
2251212
asked Dec 30 '18 at 23:45
Robbie CrashRobbie Crash
2251212
2251212
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389099%2fcontent-security-policy-sha256-mistmatch%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389099%2fcontent-security-policy-sha256-mistmatch%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
