Chrome extension CSP sha-256 hash for inline event script

Question

I am trying to implement a content-security-policy to enable inline handlers execution in chrome extension using sha-256 hashes for each inline event script.

But I can not get this to work: I extracted all the inlines and calculated hashes, so that my content_security_policy now looks like this:

"content_security_policy": "script-src 'self' 'unsafe-eval' 'sha256-Zy8+Ft7FDcIkrTYgl2BKmEW5XD97XustxKPceyLSioQ=' 'sha256-YNkUpNj1B2/FuE2RmwQf40OIO5rH69xQbG5AAxwshrA=' 'sha256-Pmun4RTarna683hWYftYdXPERPfEVV5fB+qvqh3xnmg=' ... ... 'sha256-RoSxVuvjYKDbU5f+aUEw02rEM9e2Lp9Hz/+rxbp6OMw='; object-src 'self'"

for example, for onclick="w2ui['grid'].click('1', event);" I get sha256-Zy8+Ft7FDcIkrTYgl2BKmEW5XD97XustxKPceyLSioQ=

The docs state that this is a supported method but it still throws errors

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'sha256-Zy8+Ft7FDcIkrTYgl2BKmEW5XD97XustxKPceyLSioQ=' 'sha256-YNkUpNj1B2/FuE2RmwQf40OIO5rH69xQbG5AAxwshrA=' 'sha256-Pmun4RTarna683hWYftYdXPERPfEVV5fB+qvqh3xnmg=' ... ... Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

Is it a known bug or I am just misusing the concept?

Chrome normally shows the sha256 value you require but you've just shown ... in your error message. Did Chrome calculate the same hash value as you did? — Barry Pollard, Mar 28 '16 at 19:02
no - chrome shows literally `Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.` — grandrew, Mar 28 '16 at 21:50

score 2 · Answer 1 · edited May 23 '17 at 12:31

The answer here seems that chrome - for some reason - does not support inline events hashing at all; I was able to work around this by pre-evaluating all the inlines using the 'unsafe-eval' permission:

var events = ["onclick", "onmouseover", "onmouseout", "onmousedown",
"onmouseup", "onscroll", "oncontextmenu", "onmousewheel", "ondblclick"];
function vulcanize_inlines() {
    for(var i=0;i<events.length;i++) {
        var els = getAllElementsWithAttribute(events[i]);
        for(var j=0;j<els.length;j++) {
            var fun = eval("(function a(){"+els[j].getAttribute(events[i])+"})");
            els[j].removeAttribute(events[i]);
            els[j][events[i]] = fun;
        }
    }
}

and adding this to .onload:

vulcanize_inlines();
var target = document.body;
var observer = new MutationObserver(function(mutations) {
    vulcanize_inlines();
});
var config = { /*attributes: true,*/ childList: true, 
   characterData: true, subtree: true };
observer.observe(target, config);

getAllElementsWithAttribute I used from this answer

If an attacker is able to inject HTML onto a page, wouldn't this allow them to effectively piggyback an inline event along with it? — Doug McClean, Sep 29 '20 at 01:00

Chrome extension CSP sha-256 hash for inline event script

1 Answers1