First make sure your browser supports CSP Level 2, you can use our CSP Browser Test to check.
One common problem is that you forgot to wrap the hash in single quotes. So this header would fail:
Content-Security-Policy: script-src js.example.com sha256-xzi4zkCjuC8lZcD2UmnqDG0vurmq12W/XKM5Vd0+MlQ=;
But if you wrap your hash with single quotes it will work:
Content-Security-Policy: script-src js.example.com 'sha256-xzi4zkCjuC8lZcD2UmnqDG0vurmq12W/XKM5Vd0+MlQ=';
Another common reason the script hash is not working would be that you changed the script and have the wrong hash. In that case you can use Chrome developer tools to see what the hash should be.
First, inline scripts do not execute when CSP is enabled, so you will have to move the code within the script tags to its own file. Another option is to add the hash (CSP Level 2) of the script to your script-src header. Whatever you do, do not add
unsafe-inline to support google analytics, that pretty much defeats the purpose of CSP.
Google Analytics will try to load a tiny image, so you will need
Now assuming you have moved your script to a file on the same origin, your header might look like this:
default-src 'none';script-src 'self' www.google-analytics.com;img-src www.google-analytics.com;
Want more info on CSP, checkout these links:
Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.Grab a Copy
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.