No Script Block Detected with the Hash Value Declared in Content Security Policy (CSP)
Description
This informational alert identifies a Content Security Policy (CSP) configuration issue where a script hash value is declared in the CSP header but no corresponding script block with that hash exists in the HTML document. This represents an 'orphaned hash' - a mismatch between the CSP policy and the actual page content. While not directly exploitable, this indicates a CSP maintenance issue that should be corrected to ensure policy accuracy and prevent confusion during security reviews.
Remediation
Review the Content Security Policy and identify all script hash values that do not correspond to actual script blocks in the HTML document. Remove these orphaned hashes from the CSP directive to maintain policy accuracy.
Steps to remediate:
1. Examine the CSP header or meta tag and locate the script-src directive containing the orphaned hash
2. Search the HTML document for inline script blocks to verify no matching content exists
3. Remove the unused hash value from the CSP policy
4. If the script was recently modified, regenerate the hash using the current script content and update the CSP accordingly
5. Implement a CSP management process to ensure hashes are updated whenever inline scripts change
Example of removing an orphaned hash:
Content-Security-Policy: script-src 'sha256-abc123...' 'sha256-orphaned456...' Content-Security-Policy: script-src 'sha256-abc123...'