External Script Hash With 'strict-dynamic' Requires "integrity" Attribute On Script Tag?

I'm working on a site's Content Security Policy, specifically the strict-dynamic keyword. My test site has two files: index.html:

Solution 1:

Why did I need to add the integrity attribute? I'm not seeing it mentioned in the documentation and needing to add this attribute would further complicate our build process.

MDN contains only common things to explain how CSP works. All the nitty-gritty is in CSP spec Usage of 'hash-value' token assumes that external script already has the integrity= attribute (scripts from third-party CDNs). For own scripts it's easier to use 'nonce-value' token. Moreover, Firefox does not support 'hash-value' for allowing external scripts, only for internal ones. Safari - too.

Is there an alternative to needing to specify this attribute?

No way, unfortunately. Only built-in scripts <script>...</script> does not require integrity= attr and will be auto allowed if their hashes contains in the script-src directive.

I'm working on a site's Content Security Policy, specifically the strict-dynamic keyword.

Be careful, Safari still does not support'strict-dynamic'.

Here is how I'm generating the hash in a node script:

const input = `fs.readFileSync("/path/to/index.js"); crypto.createHash("sha256").update(input, 'utf8').digest('base64')

Content of external scripts does not need to be converted to UTF8 before hashing, only inline scripts have to be transcoded. Also CSP spec requires all '-' characters replace with '+', and all '_' characters replace with '/' in the hashes value. And after that 'sha256-' prefix is added.