allowing scripts in csp

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

<meta http-equiv="Content-Security-Policy" content="script-src 'self'" />

This meta tag prevents inline scripts from executing. Your site is more secure because of it. This is great. But say you want to run your own code or you have a script that comes from a trusted source. How can we allow it to run?

Here’s what we need to do.

1. With the javascript code, or the script’s source, go to this site.
2. Paste the code / URL into the appropriate input (“External source of script/style” / “Inline scripts/styles”, respectively)
3. The generator will calculate the hashes and give you three strings for sha256, sha384 and sha512. I took the sha256 version and added it to the meta tag:

<meta
  http-equiv="Content-Security-Policy"
  content="script-src 'self' 'sha256-hash-from-generator'"
/>

References

• MDN - Content Security Policy (CSP)
• Webbkoll
• Allowing inline scripts in your Content Security Policy using a hash
• CSPLite - CSP Hash Generator