4

I am trying to implement a content-security-policy to enable inline handlers execution in chrome extension using sha-256 hashes for each inline event script.

But I can not get this to work: I extracted all the inlines and calculated hashes, so that my content_security_policy now looks like this:

"content_security_policy": "script-src 'self' 'unsafe-eval' 'sha256-Zy8+Ft7FDcIkrTYgl2BKmEW5XD97XustxKPceyLSioQ=' 'sha256-YNkUpNj1B2/FuE2RmwQf40OIO5rH69xQbG5AAxwshrA=' 'sha256-Pmun4RTarna683hWYftYdXPERPfEVV5fB+qvqh3xnmg=' ... ... 'sha256-RoSxVuvjYKDbU5f+aUEw02rEM9e2Lp9Hz/+rxbp6OMw='; object-src 'self'"

for example, for onclick="w2ui['grid'].click('1', event);" I get sha256-Zy8+Ft7FDcIkrTYgl2BKmEW5XD97XustxKPceyLSioQ=

The docs state that this is a supported method but it still throws errors

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'sha256-Zy8+Ft7FDcIkrTYgl2BKmEW5XD97XustxKPceyLSioQ=' 'sha256-YNkUpNj1B2/FuE2RmwQf40OIO5rH69xQbG5AAxwshrA=' 'sha256-Pmun4RTarna683hWYftYdXPERPfEVV5fB+qvqh3xnmg=' ... ... Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

Is it a known bug or I am just misusing the concept?

Improve this question
2
  • Chrome normally shows the sha256 value you require but you've just shown ... in your error message. Did Chrome calculate the same hash value as you did? Commented Mar 28, 2016 at 19:02
  • no - chrome shows literally Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Commented Mar 28, 2016 at 21:50

1 Answer 1

Reset to default
2

The answer here seems that chrome - for some reason - does not support inline events hashing at all; I was able to work around this by pre-evaluating all the inlines using the 'unsafe-eval' permission:

var events = ["onclick", "onmouseover", "onmouseout", "onmousedown",
"onmouseup", "onscroll", "oncontextmenu", "onmousewheel", "ondblclick"];
function vulcanize_inlines() {
    for(var i=0;i<events.length;i++) {
        var els = getAllElementsWithAttribute(events[i]);
        for(var j=0;j<els.length;j++) {
            var fun = eval("(function a(){"+els[j].getAttribute(events[i])+"})");
            els[j].removeAttribute(events[i]);
            els[j][events[i]] = fun;
        }
    }
}

and adding this to .onload:

vulcanize_inlines();
var target = document.body;
var observer = new MutationObserver(function(mutations) {
    vulcanize_inlines();
});
var config = { /*attributes: true,*/ childList: true, 
   characterData: true, subtree: true };
observer.observe(target, config);

getAllElementsWithAttribute I used from this answer

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

If an attacker is able to inject HTML onto a page, wouldn't this allow them to effectively piggyback an inline event along with it?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.