Error on encrypted website load

[stereokai]

I'm trying to access a site encrypted with Staticcrypt

What's happening

When I do ... then this happens: Access the website - Staticrypt spinner is visible - error in console:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob:". Either the 'unsafe-inline' keyword, a hash ('sha256-LTOw8XXB1tSHEqT1Hr3wjvdWM3JY8EiA6a0HBIgdwzg='), or a nonce ('nonce-...') is required to enable inline execution.

What should be happening

I expect this would happen instead: Staticrypt login interface visible

My setup

StatiCrypt version: ^3.4.0
Node version: 21.5.0
Any additional relevant context, if any:

[jimhark]

Are you seeing this issue when using a file:// URL? If so, have you tested with an http:// or https:// URL?

[stereokai]

Thanks for the reply, I'm seeing it on a site published and accessed with https

[robinmoisson]

Hi @stereokai - thanks for reaching out.

This is due to the CSP headers you are setting - these disable the use of javascript inside <script>...</script> tags. This is to force the page to use external JS files (a high level rule to avoid a general risk of JS injection).

Unfortunately, staticrypt is by design a single self-contained file, so it can't follow that solution. Two solutions that I see here:

• relax your CSP policy for this page script-src 'self' blob: 'unsafe-inline'
• add the hashes of the content in the script tags in your policy, to whitelist them: script-src 'self' blob: 'sha256-hash1' 'sha256-hash2' 'sha256-hash3'

The solution 2 is more secure if you want to stay as close as possible to your original policy (though the general use of staticrypt is basically through the first solution). This would mean you'd have to manually generate the hash for each <script> tag in your encrypted file though.

And the hash will change each time you're encrypting the file. We could change that by saving the encrypted string to a html node attribute so that the actual script stays the same for each run though, that'd be a quality of life improvement. And maybe merging all scripts together so there's only one hash, that way you'd only have to update the single hash if you update staticrypt version.