Chrome version 18+: How to allow inline scripting with a Content Security Policy?

by

For recent versions of Chrome (46+), the previously accepted answer is no longer true. unsafe-inline still has no effect (in the manifest and in meta header tags), but per the documentation, you can use the technique described here to relax the restriction.

Hash usage for <script> elements

The script-src directive lets developers whitelist a particular inline script by specifying its hash as an allowed source of script.

Usage is straightforward. The server computes the hash of a particular script block’s contents, and includes the base64 encoding of that value in the Content-Security-Policy header:

Content-Security-Policy: default-src 'self';

                     script-src 'self' https://example.com 'sha256-base64 encoded hash'

Example

Consider the following:

manifest.json:

{
  "manifest_version": 2,
  "name": "csp test",
  "version": "1.0.0",
  "minimum_chrome_version": "46",
  "content_security_policy": "script-src 'self' 'sha256-WOdSzz11/3cpqOdrm89LBL2UPwEU9EhbDtMy2OciEhs="",
  "background": {
    "page": "background.html"
  }
}

background.html:

<!DOCTYPE html>
<html>
  <head></head>
  <body>
    <script>alert("foo');</script>
  </body>
</html>

Result:
alert dialog from inline script

Further investigation

I also tested putting the applicable directive in a meta tag instead of the manifest. While the CSP indicated in the console message did include the content of the tag, it would not execute the inline script (in Chrome 53).

new background.html:

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-WOdSzz11/3cpqOdrm89LBL2UPwEU9EhbDtMy2OciEhs="">
  </head>
  <body>
    <script>alert("foo');</script>
  </body>
</html>

Result:
console error messages about content security policy

Appendix: Generating the hashes

Here are two methods for generating the hashes:

  1. Python (pass JS to stdin, pipe it somewhere else):
import hashlib
import base64
import sys

def hash(s):
    hash = hashlib.sha256(s.encode()).digest()
    encoded = base64.b64encode(hash)
    return encoded

contents = sys.stdin.read()
print(hash(contents))
  1. In JS, using the Stanford Javascript Crypto Library:
var sjcl = require('sjcl');
// Generate base64-encoded SHA256 for given string.
function hash(s) {
  var hashed = sjcl.hash.sha256.hash(s);
  return sjcl.codec.base64.fromBits(hashed);
}

Make sure when hashing the inline scripts that the whole contents of the script tag are included (including all leading/trailing whitespace). If you want to incorporate this into your builds, you can use something like cheerio to get the relevant sections. Generically, for any html, you can do:

var $ = cheerio.load(html);
var csp_hashes = $('script')
  .map((i, el) => hash($(el).text())
  .toArray()
  .map(h => `'sha256-${h}'`)
  .join(' ');
var content_security_policy = `script-src 'self' 'unsafe-eval' ${csp_hashes}; object-src 'self'`;

This is the method used in hash-csp, a gulp plugin for generating hashes.

More Related Contents:

  1. How to access the webpage DOM rather than the extension page DOM?
  2. The Chrome extension popup is not working, click events are not handled
  3. How can I get the URL of the current tab from a Google Chrome extension?
  4. How to stop CORB from blocking requests to data resources that respond with CORS headers?
  5. How can I open my extension’s pop-up with JavaScript?
  6. Since v38, Chrome extension cannot load from HTTP URLs anymore, workaround?
  7. Detect Chrome extension first run / update
  8. Modifying the built-in newtab page
  9. Start an external application from a Google Chrome Extension?
  10. Chrome Extension Content Script on https://chrome.google.com/webstore/
  11. Chrome Extension: how to capture selected text and send to a web service
  12. Where does Chrome store extensions?
  13. How can I get the current tab URL for chrome extension?
  14. Content script matching top-level domains like all google.*
  15. How to download a CRX file from the Chrome web store for a given ID? [closed]
  16. How can I enable my chrome extension in incognito mode?
  17. Console shows error about Content Security policy and lots of failed GET requests
  18. Insert an image in chrome extension
  19. How to disable (gray out) page action for Chrome extension?
  20. Inject HTML into a page from a content script
  21. Content-Security-Policy error in google chrome extension making
  22. chrome.identity User Authentication in a Chrome Extension
  23. Can I modify outgoing request headers with a Chrome Extension?
  24. Is it possible to inject a javascript code that OVERRIDES the one existing in a DOM? (e.g default alert function)
  25. Cross-origin request in a content script is blocked by CORB despite the correct CORS headers
  26. How to make a cross-origin request in a content script (currently blocked by CORB despite the correct CORS headers)?
  27. Google Chrome Extensions – Open New Tab when clicking a toolbar icon
  28. How to fix chrome-extension inline JavaScript invocation error?
  29. Passing message from background.js to popup.js
  30. Accessing `window`/DOM/HTML of the webpage from the extension

Leave a Comment