Hey,
I try to create working hashes for my jellyfin instance in the content security policy headers, but can't figure out whats wrong.
My current policy is this:
contentsecuritypolicy: " base-uri 'none'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'self'; img-src 'self'; media-src 'self' data:; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'"
and gives a valid A+ website certificate, but if I want to remove the unsafe-inline from style-src with a hashed value of the responsible main.jellyfin.bundle.js-file that is referenced in the browser console log.
The new policy looks like this:
contentsecuritypolicy: " ... style-src 'self' 'sha256-mGNg....'"
Results in following error messages:
Content-Security-Policy: The settings of this site use Inline-Styles ( style-src-elem or style-src-attr) are blocked, because they violate the policy "style-src-elem or attr 'self' 'sha256-...' and reference the file e.x. main.jellyfin.bundle.js:2:859986 or main.jellyfin.bundle.js:2:797356. The file is always the same so I hashed the content if it and used that hash in the traefik config, but it doesnt work.
Does anyone know what's wrong with this approach? Is the website referencing different files then what my browser console is showing?
Thanks in advance for any tips