4

I have been messing about with website design for years, but I am no expert - more of a hardware junkie.

CSP is fascinating for me now that I am starting to branch out into web development. I was really battling with hashes for my scripts because I used an online SHA-384 generator & Chrome wouldn't recognise those. Eventually I twigged that Chrome actually supplied 256-bit hashes for me, and I could include those in my .htaccess file - it was just a question of iterating over the pages on my site, grabbing the hashes, and including them in my list of approved scripts & styles.

As I said, I am no coding master, so I have encountered a problem where Chrome doesn't give me the actual hash for a script, trunctating it to sha256..., and I have no clue what script is running (Wordpress). Before you all shout me down, I have built sites without using a CMS, but this is the platform I am working on at the moment.

How do I find the code for the injected script so I can hash it & include it? From Mozilla's docs, I found that a hash should include all white space excluding the "script" tag - I tried that & got nowhere with my FB Pixel code, so I deleted that, perhaps you have an answer for me on that one?

As for the inline injected script - I need to find out how to identify what is being injected, and how to hash it for my CSP.

Anders
  • 65,582
  • 24
  • 185
  • 221
Flatspin
  • 41
  • 6
  • 1
    Hi and welcome to the site! I took the liberty to remove the last paragraph, since it was not really related to your question. Offering off site rewards is not encouraged here. Instead upvote good answers, and if an answer solves your problem, accept it. – Anders Apr 19 '18 at 19:33

1 Answers1

2

For a CMS, such as wordpress, I would strongly recommend using a nonce instead of hashes. There is even a plugin for that.

Including too many hashes has performance cost, as the browser has to hash all the scripts to compare the hashes. Also using it on files that change, for example because of updates is not feasible.

If you still want to use it, my only advice can be to look for a way to get the error "untruncted". You can try to shorten the header so that there is more space in the console or try to look into Chrome log files, whether it is there.

Peter Harmann
  • 7,858
  • 5
  • 21
  • 28
  • I tried 'verbose' in Chrome console & still got the 'sha...' message.

    I don't have that many scripts running, because I have done all the social-sharing goodness in PHP - dynamically generated with a little bit of help from https://www.advancedcustomfields.com to add extra fields for og:description & og:image.

    I am using https://foundationpress.olefredrik.com as the basis of my Wordpress installation, so the code is pretty tight in terms of optimisation.

     – Flatspin Apr 19 '18 at 19:57
  • and then I need to learn to use these blinking linky things :P – Flatspin Apr 19 '18 at 19:58
  • Should I removed my CSP from my .htacess file, because that would be my understanding & how can I trust a WP-addon to offer server-level security?

    Can we just not find the inline scripts that are annoying me?

     – Flatspin Apr 19 '18 at 20:07
  • Well, it is not easy to find those pesky scripts. What is worse, the scripts may sometimes change, because PHP may be entering values in. Also, the header is not server level security!!! If the attacker can execute PHP code, it can easily override the headers anyway (unless you block the header() function and any related functions explicitly in your PHP config). – Peter Harmann Apr 19 '18 at 20:09
  • @Flatspin Also, you shoul leave them in the .htaccess. The plugin does not handle headers on resources, only PHP files, so you still need security headers for images, javascript, css and other resources. The plugin will replace the headers with a variant that allows the javascript with nonce. – Peter Harmann Apr 19 '18 at 20:13
  • The .htaccess file is server-level & I have pretty much secured it, though you are more than welcome to attempt to hack it & provide your recommendations, because as I said, I am no expert and I am always willing to learn.

    I had my site secured under Chrome, but Firefox, Opera, and Edge broke, so I had to downgrade my CSP to ensure compatibility.

    Chrome was allowing my directives, but the others weren't, so I am not sure who is to blame.

    It's not PHP giving me a headache, it's Javascript. I know what scripts I am running with PHP.

    I am even willing to pay for a solution...

     – Flatspin Apr 19 '18 at 20:19
  • @Flatspin What I am trying to say is, that the settings in the htaccess file can be replaced using the header() function in PHP. If the CSP header is set in both, htaccess and PHP, the one in PHP is used (as I understand it). Therefore it can be bypassed without changing htaccess. – Peter Harmann Apr 19 '18 at 20:21
  • @Flatspin unfortunately, I don't have the solution. I ran into the same problem with my wordpress installation and just resigned into using the plugin, as using hashes did not seem to bring any additional security anyway. – Peter Harmann Apr 19 '18 at 20:23
  • @Flatspin Please also note, that your CSP header does not have to be the same for all files on the web, so you can use the plugin for wordpress php files and htaccess with much more constrained policy for everything else + as a backup if the plugin fails/is disabled (if page not loading is preferable to insecure access). – Peter Harmann Apr 19 '18 at 20:24
  • I have been checking the hashes for the injected style & scripts & they're the same. It's just those couple that have a long message in Chrome where I am not supplied with the hash.

    I'll give the plugin a bash, thanks for the advice, though I would prefer not to use a plugin as I have found they're all a little resource-hungry, and I am looking for speed, and usability.

     – Flatspin Apr 19 '18 at 20:26
  • I like my 97% PageSpeed score. ;) – Flatspin Apr 19 '18 at 20:28
  • As per your answer, you're saying PHP headers take precedence over .htacess, so I should set them in my PHP header, then? – Flatspin Apr 19 '18 at 20:30
  • @Flatspin Lovely :) I was not able to get anywhere near because of a cheap shared host :/ Well, if you ever find a way to do the CSP without the plugin, let us know. I was not able to. – Peter Harmann Apr 19 '18 at 20:30
  • @Flatspin Yes, PHP headers take precedence. The plugin uses PHP, so you can use both. Let the plugin sort out the inline stuff in wordpress and set a much stricter policy in htaccess, which is used for everything else. Then, if the plugin ever fails, the .htaccess will block any request that would be otherwise unsafe. – Peter Harmann Apr 19 '18 at 20:33
  • I have a reseller account, so I can modify my .htaccess file as I see fit per domain.

    For all your help, I am willing to offer you hosting for free on either my SA or UK servers.

    I have been paying for these servers for years & they're not making me any money, but then I was just messing about.

    I'll give you 1GB web space, unlimited bandwidth* (within reason), and as much email & databases as you need (*also within reason).

    The difference between using me & a big hosting company is that I know my customers, and they have my personal number.

     – Flatspin Apr 19 '18 at 20:40
  • Let us continue this discussion in chat. – Flatspin Apr 19 '18 at 20:45
  • The solution offered works nicely & has helped me troubleshoot my Wordpress configuration - I have it working in all browsers now, except Bing which doesn't accept the usage of an inline script & therefore breaks my link buttons.

    Firefox throws errors about none of my sha-256 hashes matching but still runs my site. Strange that.

    Can someone please upvote that answer because I don't have enough Rep.

     – Flatspin Apr 20 '18 at 08:44