staticrypt icon indicating copy to clipboard operation
staticrypt copied to clipboard
verified publisher icon robinmoisson

Error on encrypted website load

Open stereokai opened this issue 4 months ago • 3 comments

I'm trying to access a site encrypted with Staticcrypt

What's happening

When I do ... then this happens: Access the website - Staticrypt spinner is visible - error in console:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob:". Either the 'unsafe-inline' keyword, a hash ('sha256-LTOw8XXB1tSHEqT1Hr3wjvdWM3JY8EiA6a0HBIgdwzg='), or a nonce ('nonce-...') is required to enable inline execution.

What should be happening

I expect this would happen instead: Staticrypt login interface visible

My setup

StatiCrypt version: ^3.4.0 Node version: 21.5.0 Any additional relevant context, if any:

stereokai avatar Sep 09 '25 14:09 stereokai

Are you seeing this issue when using a file:// URL? If so, have you tested with an http:// or https:// URL?

jimhark avatar Sep 10 '25 14:09 jimhark

Thanks for the reply, I'm seeing it on a site published and accessed with https

stereokai avatar Sep 11 '25 07:09 stereokai

Hi @stereokai - thanks for reaching out.

This is due to the CSP headers you are setting - these disable the use of javascript inside <script>...</script> tags. This is to force the page to use external JS files (a high level rule to avoid a general risk of JS injection).

Unfortunately, staticrypt is by design a single self-contained file, so it can't follow that solution. Two solutions that I see here:

  • relax your CSP policy for this page script-src 'self' blob: 'unsafe-inline'
  • add the hashes of the content in the script tags in your policy, to whitelist them: script-src 'self' blob: 'sha256-hash1' 'sha256-hash2' 'sha256-hash3'

The solution 2 is more secure if you want to stay as close as possible to your original policy (though the general use of staticrypt is basically through the first solution). This would mean you'd have to manually generate the hash for each <script> tag in your encrypted file though.

And the hash will change each time you're encrypting the file. We could change that by saving the encrypted string to a html node attribute so that the actual script stays the same for each run though, that'd be a quality of life improvement. And maybe merging all scripts together so there's only one hash, that way you'd only have to update the single hash if you update staticrypt version.

robinmoisson avatar Sep 19 '25 07:09 robinmoisson