ember-cli-sri icon indicating copy to clipboard operation
ember-cli-sri copied to clipboard

Published 20 hours ago verified publisher icon jonathanKingston

Integrity hash failing

Open ghost opened this issue 9 years ago • 7 comments
trafficstars

I am getting the already mentioned issue , in Chrome (Version 50.0.2661.86 (64-bit) Safari (Version 9.1 (11601.5.17.1)) Firefox (41.0.1) I get a white page , and in the console :

Failed to find a valid digest in the 'integrity' attribute for resource
'https://www.my-orientation.com/assets/vendor-3490848894f35dc09a765bd6d92c451d.js'
with computed SHA-256 integrity 'CEWiFoCoI5mT8LnEhhETXdTArxMyLvhThCtMTVrylUg='.
The resource has been blocked.

my environment ember-cli: 2.5.0 node: 5.10.1 os: darwin x64

using

` "ember-cli-deploy": "0.6.1", "ember-cli-deploy-build": "0.1.1", "ember-cli-deploy-display-revisions": "0.2.1", "ember-cli-deploy-gzip": "0.2.3", "ember-cli-deploy-revision-data": "0.2.1", "ember-cli-deploy-rsync": "0.0.4", "ember-cli-deploy-ssh-index": "0.2.2",

"ember-cli-sri": "^2.1.0",

`

When I disable SRI

SRI: {
  enabled: false
}

and transfer the code via scp , it's running fine ...

ghost avatar Apr 27 '16 11:04 ghost

@erwin16 i suspect something i modifying the file, breaking the SRI constraint.

stefanpenner avatar Apr 27 '16 18:04 stefanpenner

Later: I just found #18, which seems to be my issue.

I'm experiencing this as well and have narrowed it down to the following.

When I run ember build --environment=production, I get the following in my index.html:

<script src='assets/tango-e3ee3d89974185f03be7c22441f123c3.js'></script>

When I make some changes to my config/environment.js, I get the following instead:

<script src='assets/tango-86339726c6eb7751172b46139d440d4f.js' integrity="sha256-B3zGg4+XDaioXj4HaP+q/TKttRiLc0Vmz+XNI2/v9uw= sha512-HUXEjTVjim0+8C4YHHss0ed7xtTGoJ2QVYtg543HHHyzTzcAmlG0i4G3sW5Y60BopybswsIZ3umLTQdDArxCmg==" ></script>

The only changes are

// BEFORE, working:
var ENV = {
  ...
  baseURL: '/canary/',
  ...
};

// AFTER, broken:
var ENV = {
  ... // no baseURL
};

That is, removing baseURL causes this library to start adding integrity to the app.js <script> tag. Not to any of the other tags, though.

jamesarosen avatar May 24 '16 23:05 jamesarosen

I am having trouble following along. I add the below to my ember-cli-build, but not sure the implications of setting SRI.enabled to false -- All my assets are local and I not using anything 3rd party

This

 var app = new EmberApp(defaults, {
    SRI: {
      enabled: false,
    },
  });

bdougie avatar May 28 '16 11:05 bdougie

hi i can confirm this issue is still happening. any further investigation needed?

Cryrivers avatar Aug 30 '16 11:08 Cryrivers

It seems, I have the same problem. My steps are:

  1. Remove dist folder
  2. Run ember build --prod
  3. Open index.html and see the value of integrity attribute
  4. Run cat dist/assets/my_filename | openssl dgst -sha256 -binary | openssl enc -base64 -A
  5. Compare result => they are different.
  6. Upload my app to Chrome Store
  7. Compare from Crome console after approve and my => they are identical (Chrome calculate the same value as me)

abbasovalex avatar Nov 19 '16 01:11 abbasovalex

I am still getting this as well with ember-cli-sri: ^2.1.0 and ember-cli: 2.11

grounded-warrior avatar Aug 30 '17 12:08 grounded-warrior

I can confirm that this is still an issue with ^2.1.0 and Ember CLI 2.16.2. Building normally using ember build --prod and deploying to Azure does not work (integrity failures). However if I run the step number 4 from @abbasovalex's comment and update the originally generated index.html to the new hash value it works fine.

Either something changed with the hash generation process itself that needs to be updated, or something else is modifying the tree after the SLI hash is generated. Unfortunately you can't observe the entire build pipeline with Ember-CLI in order to see order in which plugins are executed...

mlb5000 avatar Dec 01 '17 17:12 mlb5000