cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
xxluke
New member
Status: New idea

You can use hashes to confirm the integrity of inline <script>s by adding them to the Content Security Policy (CSP) header of the page. If the CSP header is used but a script is not allowed, because the hash is missing (or wrong), an error message is shown in the dev tools' console. In Firefox it looks like this:

Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: "script-src 'self' 'sha256-N0WgDOqcdfL9w1uP613+B2yu6dpc5KPYLXeb9XHepPc=' https://*.googletagmanager.com "

It's hard to find out the correct hash for an inline script. The easiest way at the moment is to use Google Chrome, as it has a better error message:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-N0WgDOqcdfL9w1uP613+B2yu6dpc5KPYLXeb9XHepPc=' https://*.googletagmanager.com ". Either the 'unsafe-inline' keyword, a hash ('sha256-ofImKSSljLzXLojBYDvShM2hWb1UdlR0IiXtVV6UO34='), or a nonce ('nonce-...') is required to enable inline execution.

I suggest to improve Firefox's error message and display the hash that would be correct.

2 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

Honza
Employee
Employee

Yes, better error message would be super useful!

I filed a feature request here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1959603

Do you have a simple test case we could use to test and reproduce this?

Thank you!