kirby3-security-headers icon indicating copy to clipboard operation
kirby3-security-headers copied to clipboard

Published 20 hours ago verified publisher icon bnomei

Error when trying to implement a hash

Open MikeHarrison opened this issue 2 years ago • 2 comments

I have a little inline style applied to the body tag (style="height: 100%;") that I need to use a hash for in my CSP.

I have added this to my .json file used to generate my CSP, but am getting an error when loading the page. This is my .json file in full:

{
  "report-only": false,
  "base-uri": {
    "self": true
  },
  "default-src": {
    "self": true
  },
  "connect-src": {
    "self": true
  },
  "font-src": {
    "self": true,
    "allow": ["https://use.typekit.net"]
  },
  "form-action": {
    "allow": [],
    "self": true
  },
  "frame-ancestors": [],
  "frame-src": {
    "allow": [],
    "self": false
  },
  "img-src": {
    "self": true,
    "data": true
  },
  "media-src": [],
  "object-src": [],
  "plugin-types": [],
  "script-src": {
    "allow": [],
    "hashes": [],
    "self": true,
    "unsafe-inline": true,
    "unsafe-eval": true
  },
  "style-src": {
    "self": true,
    "allow": ["https://use.typekit.net", "https://p.typekit.net"],
    "hashes": ["sha256-YTEza4CA2qPCNGLfB6mKa5FjY8kjkO/K7nQxeJxVd9E="]
  },
  "upgrade-insecure-requests": true,
  "worker-src": {
    "allow": [],
    "self": false
  }
}

As you can see I have added the hash to my style-src. The error is:

Invalid argument supplied for foreach()

On line 882 of /vendor/paragonie/csp-builder/src/CSPBuilder.php. The line in question looks like this:

foreach ($hash as $algo => $hashval) {

If you have any pointers as to where I might be going wrong it would be greatly appreciated

MikeHarrison avatar May 04 '22 20:05 MikeHarrison