Thanks for your reply once again, Amit.
We are looking to use this technique to allow inline script: https://www.w3.org/TR/CSP2/#script-src-hash-usage
The steps are as follows:
1) Turn on appdynamics EUM
2) Check webpage and copy entire injected <script> block's contents
3) Compute sha-512 hash of the (2)
4) Configure AP to add this static CSP http header, with hash computed in (3), to every page served like such:
Content-Security-Policy: script-src 'sha512-YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo='
Using this method, any changes in the injected <script> block's contents will break our CSP whitelist, as browser will disallow non-whitelisted javascript.
We would like to know if these block is subjected to changes, assuming we do not modify the configuration of Browser Application via the appdynamics dashboard. Possible changes that we thought of are JS logic changes or auto version up of adrum.ext.hash.js etc.
I hope I was able to explain it clearer this time! Thank you!
... View more