Failed to find a valid digest in the 'integrity' #1231
Comments
|
As I noted in the other thread, have you followed these instructions? |
|
Yes, I followed the instructions. In PC browser works fine (facilbardelivery.com.br) but in chrome(for android) not. However, when I test the app in Heroku (facilbar.herokuapp.com) with HTTPS it works even in mobile phone. So, is required use SSL? |
|
Ugh. I think we’ll have to revert this change because I don’t know how to troubleshoot this. cc @XVincentX |
|
Let me dig into - subresource integrity does not require SSL at all. |
|
It sounds like the feature is simply doing what it's intended to do. Do you have compression enabled in your Chrome for Android browser? SSL prevents this from happening. Maybe we should look for https in PUBLIC_URL and toggle this feature based on that. |
|
"The proxy performs intelligent compression and minification of HTML, JavaScript and CSS resources, which removes unnecessary whitespace, comments, and other metadata which is not essential to the rendering of the page. These optimizations, combined with mandatory gzip compression for all resources, can yield substantial bandwidth savings for the client." |
|
@Timer this is it!!! Thanks! When i disable it works perfectly. |
|
That might eventually change the received file which is seen as a resource tampering from the browser. This is not happening on mobile Safari (just tested on my iPhone) |
|
I think in this mode it does a proxy cache that even with the digest is not invalidated. |
|
Actually we could inject a stub which strips resource validation when over HTTP. Currently, this feature is going to cause more pain than benefit because of Chrome compression or ISP compression if they partake in it. |
How would this work? I’d like to see a proof of concept. |
|
That's sad, but I understand that it's blocking and annoying :( |
Sorry I was speaking in mere hypotheticals; it's not something I have done before. In theory we would inject a script tag before the bundle script tag, and add the ^ sound crazy enough to work? |
|
I think the best plan of action currently would be to remove usage of the plugin until we can find a work around or make it opt-in. I would like to see an issue tagged |
|
Happy to take a PR removing it until we figure out what to do. |
|
😢 PR #1233 |
|
Closing via #1233, please feel free to open new issues / PRs if you have ideas on how to add this back. |
|
Should be fixed in |
|
😢 I'm going to add language to our README to clarify this point, current draft is here: See also https://bugs.chromium.org/p/chromium/issues/detail?id=642928 |
|
Cool, @jscheid! I was not aware of this. |
@Timer It's a clever hack! :-) Unfortunately, inline scripts don't play nice with CSP, and conceivably there's a large overlap between folks who'd want to use SRI and those who'd want to add a CSP. Theoretically it's possible to white-list inline scripts with CSP, but that's not exactly straightforward. I think at that point you're better off just setting Of course, with a non-inline script it becomes a catch 22 if you do use SRI for it, and Achilles' heel if you don't :-/ Not to mention the extra HTTP request. There's also potential issues for people with JS disabled or ad blockers, considering that SRI also affects CSS loading. I believe CSP is already a show-stopper here so probably not worth elaborating on this. |
|
For the record, I wasn't aware of this problem either before today or I would have let you guys know. (When I said "clarify this point" above, perhaps it made it sound like I knew about this before, but I didn't.) |
|
Yea no worries. Today we learned. :-) |
|
Me too - I didn't really think there were so many consequences. |
|
I've tested compression proxies a while ago, and they all respected |
|
In the Ember world they have default SRI with no problems. It's more clear today what exactly is the problem? It's a problem also for this kind of issues: https://www.troyhunt.com/im-sorry-you-feel-this-way-natwest-but-https-on-your-landing-page-is-important |
|
Given the prevalence of https, is this even still an issue? I'm happy to do the work needed to make it an opt-in if someone could direct me to an example of how an opt-in feature looks like in create-react-app or what is the recommended way of doing it. I recently created a browser plugin that verifies the pgp signature of a page. It relies on subresource-integrity to also validate external scripts and styles. I need it for the EteSync web app (uses react-based web app), and I'd rather not eject just to add this. |
|
Furthermore, one way of fixing those applications that break because of subresource integrity is just make them change the resource uri scheme from "://" to "https://", making sure that subresources are always loaded from an encrypted source and thus won't be mangled by evil proxies. |
When i run the build command and upload my files to server this error appears in mobile browsers:
Failed to find a valid digest in the 'integrity' attribute for resource 'http://facilbardelivery.com.br/static/css/main.33fa5f7d.css' with computed SHA-256 integrity 'fhBe+EZQ6zPH/PQFiIlVZjwvoWQGAWe1s8BEyp2TJ6k='. The resource has been blocked.
The text was updated successfully, but these errors were encountered: