Add support for hashes to the script-src directive

Author: martijnc

README.md

@@ -150,6 +150,9 @@ Your HTML should look like this:
 
 The nonce should be random for each request so attackers cannot predict the nonce value.
 
+### Hashes
+If your application requires inline scripts you can serve the SHA256, SHA384, or SHA512 hash of the source as part of the script-src directive in your policy to allow the script to run. This way you don't need to enable unsafe-inline.
+
 ### Violation reports
 CSP gives you the option to receive reports about CSP violations. Each time a page loads a resource that is blocked by your CSP policy, the browser will submit a JSON object to the URL you specified in your policy. In the following example, those report will be send to `https://example.com/csp/report.php`:
 

examples/example-hash.php

@@ -0,0 +1,37 @@
+<?php
+/**
+ * Copyright 2015, Martijn Croonen.
+ * All rights reserved.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php';
+
+use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder;
+
+$policy = new ContentSecurityPolicyHeaderBuilder();
+
+// Set the default-src directive to 'none'
+$policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC, 'none');
+
+$script = "alert('Hello, world.');";
+
+$policy->addHash(
+    ContentSecurityPolicyHeaderBuilder::HASH_SHA_256,
+    hash(ContentSecurityPolicyHeaderBuilder::HASH_SHA_256, $script, true)
+);
+
+// Get your CSP headers
+$headers = $policy->getHeaders(false);
+foreach ($headers as $header) {
+    header(sprintf('%s: %s', $header['name'], $header['value']));
+}
+?>
+
+<html>
+<body>
+<!-- Script will work -->
+<script type="text/javascript"><?php echo $script; ?></script>
+</body>
+</html>

src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php

@@ -308,6 +308,38 @@ class ContentSecurityPolicyHeaderBuilder
         null
     ];
 
+    /**
+     * SHA 256 hash indicator.
+     *
+     * @var string
+     */
+    const HASH_SHA_256 = 'sha256';
+
+    /**
+     * SHA 384 hash indicator.
+     *
+     * @var string
+     */
+    const HASH_SHA_384 = 'sha384';
+
+    /**
+     * SHA 512 hash indicator.
+     *
+     * @var string
+     */
+    const HASH_SHA_512 = 'sha512';
+
+    /**
+     * Supported hash algorithms.
+     *
+     * @var array
+     */
+    protected $hashAlgorithmValues = [
+        self::HASH_SHA_256,
+        self::HASH_SHA_384,
+        self::HASH_SHA_512
+    ];
+
     /**
      * Holds the value for the 'X-Frame-Options' header when set.
      *
@@ -510,6 +542,27 @@ public function addSourceExpression($directive, $expression)
         $this->directives[$directive]['expressions'][] = $expression;
     }
 
+    /**
+     * Add a hash value to the script-src.
+     *
+     * @param string $type
+     * @param string $hash
+     * @throws InvalidDirectiveException
+     */
+    public function addHash($type, $hash)
+    {
+        $directive = self::DIRECTIVE_SCRIPT_SRC;
+        if (!(isset($this->directives[$directive]) && is_array($this->directives[$directive]))) {
+            $this->directives[$directive] = [];
+        }
+
+        if (!(isset($this->directives[$directive]['hashes']) && is_array($this->directives[$directive]['hashes']))) {
+            $this->directives[$directive]['hashes'] = [];
+        }
+
+        $this->directives[$directive]['hashes'][$type][] = $hash;
+    }
+
     /**
      * Returns the CSP header that should be used (enforced mode or report-only mode).
      *
@@ -621,6 +674,15 @@ private function parseDirectiveValue($directive)
             }
         }
 
+        // Parse the hashes
+        if (isset($directive['hashes']) && is_array($directive['hashes'])) {
+            foreach ($directive['hashes'] as $type => $hashes) {
+                foreach ($hashes as $hash) {
+                    $expressions[] = sprintf("'%s-%s'", $type, base64_encode($hash));
+                }
+            }
+        }
+
         return trim(implode(' ', array_map(function($value) {
             return $this->encodeDirectiveValue($value);
         }, $expressions)));

tests/Phpcsp/Security/ContentSecurityPolicyHeaderBuilderTest.php

@@ -304,6 +304,79 @@ public function testFrameOptionsValueAllowFrom()
         $this->assertEquals('ALLOW-FROM http://example.com', $headers[0]['value']);
     }
 
+    /**
+     * Test for the SHA 256 hashing support.
+     *
+     * @throws InvalidDirectiveException
+     */
+    public function testHashSha256()
+    {
+        $policy = $this->getNewInstance();
+
+        $script = "alert('Hello, world.');";
+
+        $policy->addHash(
+            ContentSecurityPolicyHeaderBuilder::HASH_SHA_256,
+            hash(ContentSecurityPolicyHeaderBuilder::HASH_SHA_256, $script, true)
+        );
+
+        $headers = $policy->getHeaders(true);
+        $this->assertEquals(1, count($headers));
+        $this->assertEquals(
+            'script-src \'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=\';',
+            $headers[0]['value']
+        );
+    }
+
+    /**
+     * Test for the SHA 384 hashing support.
+     *
+     * @throws InvalidDirectiveException
+     */
+    public function testHashSha384()
+    {
+        $policy = $this->getNewInstance();
+
+        $script = "alert('Hello, world.');";
+
+        $policy->addHash(
+            ContentSecurityPolicyHeaderBuilder::HASH_SHA_384,
+            hash(ContentSecurityPolicyHeaderBuilder::HASH_SHA_384, $script, true)
+        );
+
+        $headers = $policy->getHeaders(true);
+        $this->assertEquals(1, count($headers));
+        $this->assertEquals(
+            'script-src \'sha384-H8BRh8j48O9oYatfu5AZzq6A9RINhZO5H16dQZngK7T62em8MUt1FLm52t+eX6xO\';',
+            $headers[0]['value']
+        );
+    }
+
+    /**
+     * Test for the SHA 512 hashing support.
+     *
+     * @throws InvalidDirectiveException
+     */
+    public function testHashSha512()
+    {
+        $policy = $this->getNewInstance();
+
+        $script = "alert('Hello, world.');";
+
+        $policy->addHash(
+            ContentSecurityPolicyHeaderBuilder::HASH_SHA_512,
+            hash(ContentSecurityPolicyHeaderBuilder::HASH_SHA_512, $script, true)
+        );
+
+        $headers = $policy->getHeaders(true);
+        $this->assertEquals(1, count($headers));
+        $this->assertEquals(
+            'script-src \'sha512-Q2bFTOhEALkN8hOms2FKTDLy7eugP2zFZ1T8LCvX42Fp3WoNr3bjZSAHeOsHrbV1Fu9/A0EzCinRE7Af1ofP' .
+            'rw==\';',
+            $headers[0]['value']
+        );
+    }
+
     /**
      * Creates fresh instances of the helper.
      *