Mozilla Connect

You can use hashes to confirm the integrity of inline <script>s by adding them to the Content Security Policy (CSP) header of the page. If the CSP header is used but a script is not allowed, because the hash is missing (or wrong), an error message is shown in the dev tools' console. In Firefox it looks like this:

Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: "script-src 'self' 'sha256-N0WgDOqcdfL9w1uP613+B2yu6dpc5KPYLXeb9XHepPc=' https://*.googletagmanager.com "

It's hard to find out the correct hash for an inline script. The easiest way at the moment is to use Google Chrome, as it has a better error message:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-N0WgDOqcdfL9w1uP613+B2yu6dpc5KPYLXeb9XHepPc=' https://*.googletagmanager.com ". Either the 'unsafe-inline' keyword, a hash ('sha256-ofImKSSljLzXLojBYDvShM2hWb1UdlR0IiXtVV6UO34='), or a nonce ('nonce-...') is required to enable inline execution.

I suggest to improve Firefox's error message and display the hash that would be correct.