My Javascript web app uses React Helmet. I’m seeing this in the console logs on the browser:
Either the ‘unsafe-inline’ keyword, a hash (‘sha256-lF5Q6Eq8Av6zH8RSHuuey72cx1jMH2u3UMj8e7nNjto=’), or a nonce (‘nonce-…’) is required to enable inline execution.
I added the hash to my Content Security Policy setup:
{
"allowedOrigins_script_src": [
"self",
"https://mywebsite.com/graphql",
"sha256-lF5Q6Eq8Av6zH8RSHuuey72cx1jMH2u3UMj8e7nNjto=",
],
…but it isn’t being accepted as a hash:
The source list for the Content Security Policy directive ‘script-src’ contains an invalid source: ‘sha256-lF5Q6Eq8Av6zH8RSHuuey72cx1jMH2u3UMj8e7nNjto=’. It will be ignored.
Note that it says "invalid source", not "invalid hash".
What am I missing?
>Solution :
{
"allowedOrigins_script_src": [
"self",
"https://mywebsite.com/graphql",
"’sha256-lF5Q6Eq8Av6zH8RSHuuey72cx1jMH2u3UMj8e7nNjto=’"
]
}