Content-Security-Policy hash of script
This is still incredibly confusing. I'm running Chrome 40 and like you I've just spent far longer than I would have liked figuring out what's going on.
The CSP 2 spec says this about hashing <script> elements:
For example, the SHA-256 digest of
alert('Hello, world.');isYWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo=.
I've managed to generate that hash by running:
$ echo -n "alert('Hello, world.');" | openssl dgst -sha256 | base64
YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo=
But this does not work in Chrome 40.
The editor's draft of CSP says this:
For example, the SHA-256 digest of
alert('Hello, world.');isqznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=.
The example they give is generated with:
$ echo -n "alert('Hello, world.');" | openssl dgst -sha256 -binary | base64
qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=
The addition of the -binary flag to openssl is the difference between the two commands.
This does work in Chrome 40 (stable) and Chrome Canary, but I believe it still has issues in Firefox 36.
UPDATE: it seems script hashes are not supported in the Chrome release version. My test only works in Chrome Canary (when using script-src, not default-src)
——
You should try using "script-src" instead of "default-src" (based on my quick reading of the working draft)