microsoft · dannimad · Jun 10, 2025 · Jun 3, 2025 · Jun 5, 2025 · Jun 5, 2025
diff --git a/docs/static/staticwebapp.config.json b/docs/static/staticwebapp.config.json
@@ -1,7 +1,7 @@
 {
 	"globalHeaders": {
 		"cache-control": "must-revalidate, max-age=3600",
-		"Content-Security-Policy": "require-trusted-types-for 'script'; trusted-types default dompurify ff#webpack; report-uri https://csp.microsoft.com/report/FluidFramework-WW"
+		"Content-Security-Policy-Report-Only": "script-src 'self' 'sha256-faMHt+UAWeoFU7ZBnPhfAu9zOnnNUwL4RYp09gSUEjU=' 'sha256-O8zYuOjyuzUZDv3fub7DKfAs5TEd1dG+fz+hCSCFmQA='; require-trusted-types-for 'script'; trusted-types default dompurify ff#webpack; report-uri https://csp.microsoft.com/report/FluidFramework-WW"
 	},
 	"navigationFallback": {
 		"rewrite": "/api/fallback"

diff --git a/docs/validateHashes.sh b/docs/validateHashes.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -eu -o pipefail
+# This script validates the hashes of inline scripts in the index.html file against the configured hashes in the staticwebapp.config.json file.
+indexFile="build/index.html"
+configFile="static/staticwebapp.config.json"
+
+echo "Extracting and hashing inline scripts from $indexFile"
+
+expectedHashes="expected_hashes.txt"
+generatedHashes="generated_hashes.txt"
+> "$expectedHashes"
+> "$generatedHashes"
+
+# Extract inline scripts and compute hashes
+awk 'BEGIN { RS="</script>"; FS="<script[^>]*>" }
+NF>1 { print $2 }' "$indexFile" | while read -r scriptContent; do
+if [[ "$scriptContent" != "" ]]; then
+echo "$scriptContent" | tr -d '\n'| openssl dgst -sha256 -binary | openssl base64 | sed 's/^/sha256-/' >> "$generatedHashes"
+fi
+done
+
+echo "Extracted Hashes:"
+cat "$generatedHashes"
+
+echo "Reading configured hashes from $configFile"
+grep -oE "sha256-[A-Za-z0-9+/=]{43,45}" "$configFile" | sort | uniq > $expectedHashes
+cat $expectedHashes
+
+echo "Validating..."
+fail=0
+while read -r actualHash; do
+if ! grep -q "$actualHash" $expectedHashes; then
+echo "Missing hash in config: $actualHash"
+fail=1
+else
+echo "Hash matched: $actualHash"
+fi
+done < "$generatedHashes"
+
+rm -f "$generatedHashes" "$expectedHashes"
+
+if [ "$fail" -ne 0 ]; then
+echo "Inline script hashes do not match configured values. Override the hashes in $configFile with the extracted hashes."
+exit 1
+fi
+
+echo "All inline script hashes are valid."
diff --git a/tools/pipelines/deploy-website.yml b/tools/pipelines/deploy-website.yml
@@ -137,6 +137,13 @@ stages:
           env:
             INSTRUMENTATION_KEY: $(INSTRUMENTATION_KEY)
 
+        - task: Bash@3
+          displayName: 'Check inline script hashes correctness'
+          inputs:
+            targetType: 'filePath'
+            workingDirectory: $(Build.SourcesDirectory)/docs
+            filePath: '$(Build.SourcesDirectory)/docs/validateHashes.sh'
+
         # Run the tests
         - task: Npm@1
           displayName: Run tests