dropin-minimal-css icon indicating copy to clipboard operation
dropin-minimal-css copied to clipboard

Published 20 hours ago verified publisher icon dohliam

Failed to find a valid digest in the 'integrity' attribute

Open EvgenyOrekhov opened this issue 4 years ago • 6 comments

Steps to reproduce:

  1. Go to https://evgenyorekhov.github.io/holiday.css/src/index.html
  2. Click on the Drop-in bookmarklet
  3. Select a different CSS framework from the Drop-in switcher

Expected result: selected framework's styles should be applied to the page

Actual result: styles are not applied, there is the following error in the browser console

Failed to find a valid digest in the 'integrity' attribute for resource
'https://dohliam.github.io/dropin-minimal-css/min/awsm.min.css'
with computed SHA-256 integrity
'giTWrXju6B1GUPSb1nHYBfCZzd73kLweWPjVOBzNxAA='.
The resource has been blocked.

image

EvgenyOrekhov avatar May 23 '20 11:05 EvgenyOrekhov

@EvgenyOrekhov It looks like this error is caused by the integrity check in the CSS link to normalize.min.css on that page:

<link
            rel="stylesheet"
            href="https://cdnjs.cloudflare.com/ajax/libs/modern-normalize/0.6.0/modern-normalize.min.css"
            integrity="sha256-a9JO7L1jGkja9va1xGMWEJspCfU/b9Vn5u/O5MdnKhw="
            crossorigin="anonymous"
        />

As far as I understand, this basically checks that the loaded minified Normalize CSS file has not been changed. However, the bookmarklet does change the CSS (it replaces it), so the integrity test fails.

There are probably a few ways to fix this -- you could of course remove the integrity check or (if that's not possible), move the call to Normalize CSS down in the list of linked stylesheets (the switcher just tries to replace the first linked stylesheet).

Hope that helps!

dohliam avatar May 23 '20 18:05 dohliam

If the switcher was inserting a new <link> element instead of replacing an existing one, I think it would solve the issue. What do you think?

It's just more and more websites are starting to use integrity checks.

EvgenyOrekhov avatar May 23 '20 19:05 EvgenyOrekhov

Yes, it did do something like that at first, but I quickly discovered that this leads to unexpected results because it effectively layers the new stylesheet on top of the old one (often this results in no effect at all, actually -- particularly if the first stylesheet has lots of !important statements). So this is an imperfect solution but it does work most of the time.

dohliam avatar May 23 '20 19:05 dohliam

So what is the switcher trying to emulate? I mean, if it tries to emulate how the page would look if you included one of the themes along with your existing styles, then the switcher should not mess with existing styles at all. If the switcher is supposed to emulate how the page would look if you included only one of the themes, then the switcher should remove all existing styles first. The way it works now, is a mix of both. That is unexpected.

EvgenyOrekhov avatar May 23 '20 19:05 EvgenyOrekhov

Yes, it might be a good idea to try recursively removing all styles before adding the switcher. This might break a lot of pages though, so it would probably need a lot of testing on various sites and with all the different stylesheets. On the other hand, it might allow some pages to work with the switcher that currently don't (like Github itself).

dohliam avatar May 25 '20 15:05 dohliam

I ran in a similar issue. Removing the integrity attribute with css_link.integrity="" the styles are loaded correctly. I also tried delete css_link.integrity and css_link.integrity=undefined, but those didn't seem to work.

lemmi avatar Sep 12 '22 11:09 lemmi