I’m trying to add MathJax to my site, either via CDN or dumping it in
static/ or whatever.
I just can’t get the new CSP right. I don’t hate the idea of CSP, just this execution I guess.
I’m trying to add:
so I would naturally, you know, put that file in
static/ and go and compute:
$ openssl dgst -sha256 -binary ./static/tex-chtml-full.js | openssl base64 f58GxZy2dk4t4ZRmiNvEzBAQWIqu2FpT/t20pWGT9Ro=
which I should put in my
script-src 'strict-dynamic' 'sha256-MKgjHN/uHnaFdjV+WQmG2kDfBKUZ/7VcynwBlQKVqdo=' 'self' https: http:; object-src 'none'; base-uri 'none'
script-src 'strict-dynamic' 'sha256-MKgjHN/uHnaFdjV+WQmG2kDfBKUZ/7VcynwBlQKVqdo=' 'sha256-f58GxZy2dk4t4ZRmiNvEzBAQWIqu2FpT/t20pWGT9Ro=' <-- NEW 'self' https: http:; object-src 'none'; base-uri 'none'
But it doesn’t work.. and there is just the usual RTFM that you find in web dev. MDN is pretty good, to be honest, but there’s never enough examples.
Maybe there’s something different between the hash of an inline script (everything between the tags) and a linked resource (the whole file? I would think). I thought separate files was
People online claim Chrome will helpfully just tell you what hash it’s looking for, but it’s not even doing that for me.
Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:1414/tex-chtml-full.js (“script-src”).
Refused to load the script ‘http://localhost:1414/tex-chtml-full.js’ because it violates the following Content Security Policy directive: “script-src ‘strict-dynamic’ ‘sha256-MKgjHN/uHnaFdjV+WQmG2kDfBKUZ/7VcynwBlQKVqdo=’ ‘sha256-f58GxZy2dk4t4ZRmiNvEzBAQWIqu2FpT/t20pWGT9Ro=’ ‘self’ https: http:”. ‘strict-dynamic’ is present, so host-based whitelisting is disabled. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.
Ugggh I feel like I need to read more docs. I know the feeling.
I can’t even get a sanity check of
<script src="hello.js"></script> with the standard
alert('Hello, world.'); to work with standard sha256 (straight out of the docs) of
qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=. But still, nowhere to turn but the same docs you’ve been following all along.
I miss Flash MX. I miss ActionScript. I even miss XSLT/XPath/XQuery/XMLDBs, to make the XML all worth it.
I hate web development, sometimes. Most of the time, lol.