Support calculating script hashes for injected JS

We are working to add a CSP to our site. We are wanting to remove unsafe-inline from our CSP. There are two ways to do that:

  1. Set a nonce header and add the nonce to all inline scripts
  2. Calculate the hash of each script and include the hash in the CSP header

The issue with option 1 is that the nonce is only safe to use if every page response receives a different nonce. However, we are using Cloudflare to cache some pages in an SPA, and those pages will receive the same nonce on every response while the page is in the cache.

The risk being that if someone could inject an XSS into our site, they could observe the nonce, inject a script with the nonce, and send the link to the target. The attack would only be valid until the cache expired and a new nonce was injected, but it is still a risk.

We would like it if Cloudflare was able to add the hash of the bot detection script to the CSP header:

<script>
(function() {
if (!document.body)
return;
var js = "window['__CF$cv$params']={r:'875e8191cf97a86c',t:'MTcxMzM3ODgzNC41NzkwMDA='};_cpo=document.createElement('script');_cpo.nonce='',_cpo.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js',document.getElementsByTagName('head')[0].appendChild(_cpo);";
var _0xh = document.createElement('iframe');
_0xh.height = 1;
_0xh.width = 1;
_0xh.style.position = 'absolute';
...

It would be something like 'sha256-abc123...'.

This would mean that we don’t need to use a nonce, which opens our site up to a (small) risk of reused nonces.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.