I can not get whitelist using checksum to work in firefox (52.0.2, windows). Firefox maintains version 2 content security policy in accordance with caniuse, so the checksum must be supported.
When chrome blocks the inline script, it prints the necessary sha-256 for the console. Adding it to csp rules is done using the whitelist script. The checksum is also identical to the checksum calculated at
https://report-uri.io/home/hash
But firefox refuses to accept it.
I noted that the example in MDN docs uses base-16 as opposed to base-64 encoding for checksum.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
But even with the MDN example, I get the same results. (Also chrome is rejected with base-16 encoding). I tried several options:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
content="script-src 'sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f'">
<title>Hello CSP</title>
</head>
<body>
<script type="text/javascript">var inline = 1;</script>
</body>
</html>
Content Security Policy. The page settings blocked downloading the resource offline ("script -src" sha256-076c8f1ca6979ef156b510a121b69b6265011597557ca2971db5ad5a2743545f "). Source: var inline = 1 ;.
source
share