devtools/cmd/csphash: check for template expansion in scripts Report any scripts that will change dynamically due to a template expansion. CSP hashing can't support scripts like that, because the contents and therefore the hash will change on each execution. Change-Id: I975859a59c8f5d19bcd0ffc5dad1e5068a380587 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/240500 Reviewed-by: Julie Qiu <julie@golang.org>

commit: fe9a181e9f2ab0e7c132cb98714feb81699a8123 [log] [tgz]
author: Jonathan Amsterdam <jba@google.com> Tue Jun 30 14:30:44 2020 -0400
committer: Jonathan Amsterdam <jba@google.com> Tue Jun 30 19:15:17 2020 +0000
tree: d964fa28d055fd44b44f9718f0851fbb0d0a6507
parent: 87b93cfbfeccf17a2655d71f11fcb48bdb70daf0 [diff]
diff --git a/devtools/cmd/csphash/main.go b/devtools/cmd/csphash/main.go
index d1fea80..f50bbfb 100644
--- a/devtools/cmd/csphash/main.go
+++ b/devtools/cmd/csphash/main.go

@@ -55,6 +55,12 @@
 				fmt.Printf("%s: has script with src attribute: %s\n", file, s.tag)
 				ok = false
 			}
+			if bytes.Contains(s.body, []byte("{{")) {
+				fmt.Printf("%s: has script with template expansion:\n%s\n", file, s.body)
+				fmt.Printf("Scripts must be static so they have a constant hash.\n")
+				ok = false
+				continue
+			}
 			hash := cspHash(s.body)
 			if !cspHashMap[hash] {
 				fmt.Printf("missing hash: add the lines below to %s:\n", *hashFile)
commit	fe9a181e9f2ab0e7c132cb98714feb81699a8123	[log] [tgz]
author	Jonathan Amsterdam <jba@google.com>	Tue Jun 30 14:30:44 2020 -0400
committer	Jonathan Amsterdam <jba@google.com>	Tue Jun 30 19:15:17 2020 +0000
tree	d964fa28d055fd44b44f9718f0851fbb0d0a6507
parent	87b93cfbfeccf17a2655d71f11fcb48bdb70daf0 [diff]