Content-Security-Policy sha256 mistmatch












0















I'm trying to set a very strict CSP on my site while moving from WordPress to Ghost, and I think I'm missing something very obvious.



I've gone through the documentation and am doing what I think I'm supposed to, but something is not working. My CSP validates on Google's CSP validator, and when I checksum the scripts by doing curl | sha256sum I get the same checksum, that I've added to my policy. However, when browsing the site, the scripts are denied because they don't validate.



I know why the inline scripts aren't loading, because I haven't figured out the nonce part yet, but I figure I'll get to that after I get the main part running.



I'm running the latest NGINX and a brand new Ghost install on Ubuntu 18.04, with MariaDB.



The CSP headers I'm adding to the site are through the NGINX conf file for the site, but are as follows. This is presented below in a readable manner, in my actual NGINX config file everything is on one line because otherwise I get HTTPS protocol errors:



    add_header Content-Security-Policy "base-uri 'self' https://beta.robbiecrash.me;
default-src 'self' https://beta.robbiecrash.me;
object-src 'none';
connect-src 'self';
font-src 'self';
frame-src www.youtube.com;
img-src 'self';
script-src 'strict-dynamic'
'sha256-QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY='
'sha256-DfwnDueq8Kk23IWsFe1JOHznwCCIIYaJcBnt+SCv7y8='
'sha256-bj/JlIND2F1ZRARRwS8t4d22whMq5QMxT2rGs/hyGKg='
'sha256-psNZvEVSwudZCmMthmvN/ol/ZqTA/e6EBRnRmxq0gyU='
'sha256-BSJSoYL3U/h9xfMICRiRZw/GId8TxSgDkqr3/yGkXaM='
'sha256-G1YPIho+4GJ3Mx5AW5VrOE1e94MKZDtODCVxibet+Ic='
'sha256-VXclGR1TDdlJWafKXNnziC4NWnKSUF5eCMGLHBXTwOs='
'sha256-ToHDftw1HI6v/zp4y9Ua7GWD/lduxaBPhYXOpJ+pheY='
'sha256-EbIleRp3k4KblfrrVZx2y5CZ6W+uPnYpuvdugay1SLE='
'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='
'sha256-jTGzLAqOAcOL+ALD2f2tvFY7fs6dwkOeo88xiuVHaRk='
'sha256-uURSbWfSLHhi+UpdPjpowvdJK8c/9pV7tbNDEvSL6cM='
'sha256-Ch5rv5tgAdVMCh7Wqb0UOcXkQAHNFSezi+0v/0z6xfw='
'sha256-Cnsy1D8mpJ5y4oRYZnhMnNxD51Cc1hHiQX33Jckfcn0='
'unsafe-inline'
inline: 'self';
style-src
'sha256-N1K43s+8twRa+tzzoF3V8EgssdDiZ6kd9r8Rfgg8kZU='
'sha256-+UKXHR4SMd37yUxqCERfCWTT8gUc3QPJ/UXlvgcE74A='
'sha256-J5oxR0L06zUscYq2mIlVVL5xpZ+Y5NBcit/F+Zh7ei4='
'sha256-Drj3vHAhMI5tuKJTEjwJwQRAsZDcF463bO0KllBipH0='
'sha256-T8cuZtWj79tY0DXOgszGq42DByRWbdRQULuIYGfFx6s='
inline: 'self';
script-src-elem cdnjs.cloudflare.com code.jquery.com inline: 'self';
style-src-attr inline: 'self';
style-src-elem cdnjs.cloudflare.com 'self' inline: 'self';";


For example, the script:
https://beta.robbiecrash.me/public/ghost-sdk.min.js?v=9f1aeb2053



When I curl it, checksums to:



413f453e2956351c7cd63367cf01a0f1a2957ed147b1332ced471d1aa80f1816


Which converts to the following in Base64:



QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY=


Which is the first sha256- entry in my script-src. The site, such as it currently is, can be reached at https://beta.robbiecrash.me



Have I completely misunderstood how CSP is supposed to be setup? Is this because I'm setting the new directives, but not totally filling them out? Chrome reports these directives are ignored because I haven't enabled them in chrome://flags.










share|improve this question





























    0















    I'm trying to set a very strict CSP on my site while moving from WordPress to Ghost, and I think I'm missing something very obvious.



    I've gone through the documentation and am doing what I think I'm supposed to, but something is not working. My CSP validates on Google's CSP validator, and when I checksum the scripts by doing curl | sha256sum I get the same checksum, that I've added to my policy. However, when browsing the site, the scripts are denied because they don't validate.



    I know why the inline scripts aren't loading, because I haven't figured out the nonce part yet, but I figure I'll get to that after I get the main part running.



    I'm running the latest NGINX and a brand new Ghost install on Ubuntu 18.04, with MariaDB.



    The CSP headers I'm adding to the site are through the NGINX conf file for the site, but are as follows. This is presented below in a readable manner, in my actual NGINX config file everything is on one line because otherwise I get HTTPS protocol errors:



        add_header Content-Security-Policy "base-uri 'self' https://beta.robbiecrash.me;
    default-src 'self' https://beta.robbiecrash.me;
    object-src 'none';
    connect-src 'self';
    font-src 'self';
    frame-src www.youtube.com;
    img-src 'self';
    script-src 'strict-dynamic'
    'sha256-QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY='
    'sha256-DfwnDueq8Kk23IWsFe1JOHznwCCIIYaJcBnt+SCv7y8='
    'sha256-bj/JlIND2F1ZRARRwS8t4d22whMq5QMxT2rGs/hyGKg='
    'sha256-psNZvEVSwudZCmMthmvN/ol/ZqTA/e6EBRnRmxq0gyU='
    'sha256-BSJSoYL3U/h9xfMICRiRZw/GId8TxSgDkqr3/yGkXaM='
    'sha256-G1YPIho+4GJ3Mx5AW5VrOE1e94MKZDtODCVxibet+Ic='
    'sha256-VXclGR1TDdlJWafKXNnziC4NWnKSUF5eCMGLHBXTwOs='
    'sha256-ToHDftw1HI6v/zp4y9Ua7GWD/lduxaBPhYXOpJ+pheY='
    'sha256-EbIleRp3k4KblfrrVZx2y5CZ6W+uPnYpuvdugay1SLE='
    'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='
    'sha256-jTGzLAqOAcOL+ALD2f2tvFY7fs6dwkOeo88xiuVHaRk='
    'sha256-uURSbWfSLHhi+UpdPjpowvdJK8c/9pV7tbNDEvSL6cM='
    'sha256-Ch5rv5tgAdVMCh7Wqb0UOcXkQAHNFSezi+0v/0z6xfw='
    'sha256-Cnsy1D8mpJ5y4oRYZnhMnNxD51Cc1hHiQX33Jckfcn0='
    'unsafe-inline'
    inline: 'self';
    style-src
    'sha256-N1K43s+8twRa+tzzoF3V8EgssdDiZ6kd9r8Rfgg8kZU='
    'sha256-+UKXHR4SMd37yUxqCERfCWTT8gUc3QPJ/UXlvgcE74A='
    'sha256-J5oxR0L06zUscYq2mIlVVL5xpZ+Y5NBcit/F+Zh7ei4='
    'sha256-Drj3vHAhMI5tuKJTEjwJwQRAsZDcF463bO0KllBipH0='
    'sha256-T8cuZtWj79tY0DXOgszGq42DByRWbdRQULuIYGfFx6s='
    inline: 'self';
    script-src-elem cdnjs.cloudflare.com code.jquery.com inline: 'self';
    style-src-attr inline: 'self';
    style-src-elem cdnjs.cloudflare.com 'self' inline: 'self';";


    For example, the script:
    https://beta.robbiecrash.me/public/ghost-sdk.min.js?v=9f1aeb2053



    When I curl it, checksums to:



    413f453e2956351c7cd63367cf01a0f1a2957ed147b1332ced471d1aa80f1816


    Which converts to the following in Base64:



    QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY=


    Which is the first sha256- entry in my script-src. The site, such as it currently is, can be reached at https://beta.robbiecrash.me



    Have I completely misunderstood how CSP is supposed to be setup? Is this because I'm setting the new directives, but not totally filling them out? Chrome reports these directives are ignored because I haven't enabled them in chrome://flags.










    share|improve this question



























      0












      0








      0








      I'm trying to set a very strict CSP on my site while moving from WordPress to Ghost, and I think I'm missing something very obvious.



      I've gone through the documentation and am doing what I think I'm supposed to, but something is not working. My CSP validates on Google's CSP validator, and when I checksum the scripts by doing curl | sha256sum I get the same checksum, that I've added to my policy. However, when browsing the site, the scripts are denied because they don't validate.



      I know why the inline scripts aren't loading, because I haven't figured out the nonce part yet, but I figure I'll get to that after I get the main part running.



      I'm running the latest NGINX and a brand new Ghost install on Ubuntu 18.04, with MariaDB.



      The CSP headers I'm adding to the site are through the NGINX conf file for the site, but are as follows. This is presented below in a readable manner, in my actual NGINX config file everything is on one line because otherwise I get HTTPS protocol errors:



          add_header Content-Security-Policy "base-uri 'self' https://beta.robbiecrash.me;
      default-src 'self' https://beta.robbiecrash.me;
      object-src 'none';
      connect-src 'self';
      font-src 'self';
      frame-src www.youtube.com;
      img-src 'self';
      script-src 'strict-dynamic'
      'sha256-QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY='
      'sha256-DfwnDueq8Kk23IWsFe1JOHznwCCIIYaJcBnt+SCv7y8='
      'sha256-bj/JlIND2F1ZRARRwS8t4d22whMq5QMxT2rGs/hyGKg='
      'sha256-psNZvEVSwudZCmMthmvN/ol/ZqTA/e6EBRnRmxq0gyU='
      'sha256-BSJSoYL3U/h9xfMICRiRZw/GId8TxSgDkqr3/yGkXaM='
      'sha256-G1YPIho+4GJ3Mx5AW5VrOE1e94MKZDtODCVxibet+Ic='
      'sha256-VXclGR1TDdlJWafKXNnziC4NWnKSUF5eCMGLHBXTwOs='
      'sha256-ToHDftw1HI6v/zp4y9Ua7GWD/lduxaBPhYXOpJ+pheY='
      'sha256-EbIleRp3k4KblfrrVZx2y5CZ6W+uPnYpuvdugay1SLE='
      'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='
      'sha256-jTGzLAqOAcOL+ALD2f2tvFY7fs6dwkOeo88xiuVHaRk='
      'sha256-uURSbWfSLHhi+UpdPjpowvdJK8c/9pV7tbNDEvSL6cM='
      'sha256-Ch5rv5tgAdVMCh7Wqb0UOcXkQAHNFSezi+0v/0z6xfw='
      'sha256-Cnsy1D8mpJ5y4oRYZnhMnNxD51Cc1hHiQX33Jckfcn0='
      'unsafe-inline'
      inline: 'self';
      style-src
      'sha256-N1K43s+8twRa+tzzoF3V8EgssdDiZ6kd9r8Rfgg8kZU='
      'sha256-+UKXHR4SMd37yUxqCERfCWTT8gUc3QPJ/UXlvgcE74A='
      'sha256-J5oxR0L06zUscYq2mIlVVL5xpZ+Y5NBcit/F+Zh7ei4='
      'sha256-Drj3vHAhMI5tuKJTEjwJwQRAsZDcF463bO0KllBipH0='
      'sha256-T8cuZtWj79tY0DXOgszGq42DByRWbdRQULuIYGfFx6s='
      inline: 'self';
      script-src-elem cdnjs.cloudflare.com code.jquery.com inline: 'self';
      style-src-attr inline: 'self';
      style-src-elem cdnjs.cloudflare.com 'self' inline: 'self';";


      For example, the script:
      https://beta.robbiecrash.me/public/ghost-sdk.min.js?v=9f1aeb2053



      When I curl it, checksums to:



      413f453e2956351c7cd63367cf01a0f1a2957ed147b1332ced471d1aa80f1816


      Which converts to the following in Base64:



      QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY=


      Which is the first sha256- entry in my script-src. The site, such as it currently is, can be reached at https://beta.robbiecrash.me



      Have I completely misunderstood how CSP is supposed to be setup? Is this because I'm setting the new directives, but not totally filling them out? Chrome reports these directives are ignored because I haven't enabled them in chrome://flags.










      share|improve this question
















      I'm trying to set a very strict CSP on my site while moving from WordPress to Ghost, and I think I'm missing something very obvious.



      I've gone through the documentation and am doing what I think I'm supposed to, but something is not working. My CSP validates on Google's CSP validator, and when I checksum the scripts by doing curl | sha256sum I get the same checksum, that I've added to my policy. However, when browsing the site, the scripts are denied because they don't validate.



      I know why the inline scripts aren't loading, because I haven't figured out the nonce part yet, but I figure I'll get to that after I get the main part running.



      I'm running the latest NGINX and a brand new Ghost install on Ubuntu 18.04, with MariaDB.



      The CSP headers I'm adding to the site are through the NGINX conf file for the site, but are as follows. This is presented below in a readable manner, in my actual NGINX config file everything is on one line because otherwise I get HTTPS protocol errors:



          add_header Content-Security-Policy "base-uri 'self' https://beta.robbiecrash.me;
      default-src 'self' https://beta.robbiecrash.me;
      object-src 'none';
      connect-src 'self';
      font-src 'self';
      frame-src www.youtube.com;
      img-src 'self';
      script-src 'strict-dynamic'
      'sha256-QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY='
      'sha256-DfwnDueq8Kk23IWsFe1JOHznwCCIIYaJcBnt+SCv7y8='
      'sha256-bj/JlIND2F1ZRARRwS8t4d22whMq5QMxT2rGs/hyGKg='
      'sha256-psNZvEVSwudZCmMthmvN/ol/ZqTA/e6EBRnRmxq0gyU='
      'sha256-BSJSoYL3U/h9xfMICRiRZw/GId8TxSgDkqr3/yGkXaM='
      'sha256-G1YPIho+4GJ3Mx5AW5VrOE1e94MKZDtODCVxibet+Ic='
      'sha256-VXclGR1TDdlJWafKXNnziC4NWnKSUF5eCMGLHBXTwOs='
      'sha256-ToHDftw1HI6v/zp4y9Ua7GWD/lduxaBPhYXOpJ+pheY='
      'sha256-EbIleRp3k4KblfrrVZx2y5CZ6W+uPnYpuvdugay1SLE='
      'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='
      'sha256-jTGzLAqOAcOL+ALD2f2tvFY7fs6dwkOeo88xiuVHaRk='
      'sha256-uURSbWfSLHhi+UpdPjpowvdJK8c/9pV7tbNDEvSL6cM='
      'sha256-Ch5rv5tgAdVMCh7Wqb0UOcXkQAHNFSezi+0v/0z6xfw='
      'sha256-Cnsy1D8mpJ5y4oRYZnhMnNxD51Cc1hHiQX33Jckfcn0='
      'unsafe-inline'
      inline: 'self';
      style-src
      'sha256-N1K43s+8twRa+tzzoF3V8EgssdDiZ6kd9r8Rfgg8kZU='
      'sha256-+UKXHR4SMd37yUxqCERfCWTT8gUc3QPJ/UXlvgcE74A='
      'sha256-J5oxR0L06zUscYq2mIlVVL5xpZ+Y5NBcit/F+Zh7ei4='
      'sha256-Drj3vHAhMI5tuKJTEjwJwQRAsZDcF463bO0KllBipH0='
      'sha256-T8cuZtWj79tY0DXOgszGq42DByRWbdRQULuIYGfFx6s='
      inline: 'self';
      script-src-elem cdnjs.cloudflare.com code.jquery.com inline: 'self';
      style-src-attr inline: 'self';
      style-src-elem cdnjs.cloudflare.com 'self' inline: 'self';";


      For example, the script:
      https://beta.robbiecrash.me/public/ghost-sdk.min.js?v=9f1aeb2053



      When I curl it, checksums to:



      413f453e2956351c7cd63367cf01a0f1a2957ed147b1332ced471d1aa80f1816


      Which converts to the following in Base64:



      QT9FPilWNRx81jNnzwGg8aKVftFHsTMs7UcdGqgPGBY=


      Which is the first sha256- entry in my script-src. The site, such as it currently is, can be reached at https://beta.robbiecrash.me



      Have I completely misunderstood how CSP is supposed to be setup? Is this because I'm setting the new directives, but not totally filling them out? Chrome reports these directives are ignored because I haven't enabled them in chrome://flags.







      javascript nginx






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 31 '18 at 4:31







      Robbie Crash

















      asked Dec 30 '18 at 23:45









      Robbie CrashRobbie Crash

      2251212




      2251212






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389099%2fcontent-security-policy-sha256-mistmatch%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389099%2fcontent-security-policy-sha256-mistmatch%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          Origin of the phrase “under your belt”?