I’m trying to add MathJax to my site, either via CDN or dumping it in static/ or whatever.

I just can’t get the new CSP right. I don’t hate the idea of CSP, just this execution I guess.

The <script> itself

I’m trying to add:

<script src="/tex-chtml-full.js"></script>

so I would naturally, you know, put that file in static/ and go and compute:

$  openssl dgst -sha256 -binary ./static/tex-chtml-full.js | openssl base64

which I should put in my Content-Security-Policy.


script-src 'strict-dynamic'
  'self' https: http:; object-src 'none'; base-uri 'none'


script-src 'strict-dynamic'
  'sha256-f58GxZy2dk4t4ZRmiNvEzBAQWIqu2FpT/t20pWGT9Ro='         <-- NEW
  'self' https: http:; object-src 'none'; base-uri 'none'

But it doesn’t work.. and there is just the usual RTFM that you find in web dev. MDN is pretty good, to be honest, but there’s never enough examples.

Maybe there’s something different between the hash of an inline script (everything between the tags) and a linked resource (the whole file? I would think). I thought separate files was

People online claim Chrome will helpfully just tell you what hash it’s looking for, but it’s not even doing that for me.


Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:1414/tex-chtml-full.js (“script-src”).


Refused to load the script ‘http://localhost:1414/tex-chtml-full.js’ because it violates the following Content Security Policy directive: “script-src ‘strict-dynamic’ ‘sha256-MKgjHN/uHnaFdjV+WQmG2kDfBKUZ/7VcynwBlQKVqdo=’ ‘sha256-f58GxZy2dk4t4ZRmiNvEzBAQWIqu2FpT/t20pWGT9Ro=’ ‘self’ https: http:”. ‘strict-dynamic’ is present, so host-based whitelisting is disabled. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

Ugggh I feel like I need to read more docs. I know the feeling.

I can’t even get a sanity check of <script src="hello.js"></script> with the standard alert('Hello, world.'); to work with standard sha256 (straight out of the docs) of qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=. But still, nowhere to turn but the same docs you’ve been following all along.

Given the absolute dogshit state of Web Privacy1, for this to be Hard for someone who learned HTML 20 years ago, has a CS degree, works professionally as a software developer.. and I’m struggling to shake the reality out of the docs: it’s beyond broken. This whole system sucks, we should just start over without JavaScript, without linked resources2, without “sandboxes”, without globals. All of this, to amount to not much better than Gopher with better styling.

I miss Flash MX. I miss ActionScript. I even miss XSLT/XPath/XQuery/XMLDBs, to make the XML all worth it.

I hate web development, sometimes. Most of the time, lol.

  1. there basically isn’t any. The level of fingerprinting available is just reckless surveillance. Literally reckless, just making money trying not to appreciate the concern. Where’s Jeff Goldblum? 

  2. <a> is the true link, not <script> or god forbid <link>