SHA-384 integrity checks failed on various css and js files #103
Comments
|
Weird. I'm not seeing any errors and resources are loading fine for me. When the files fail to load, the site is fairly broken (poorly styled, JS not working), correct? For reference, I used the following to compute the current hashes:
Any thoughts on this? |
|
Yes, style for the light theme was messed up and dropdown menus did not expand. |
|
Thanks for the details. I'd really like to get this fixed but can't reproduce at the moment...right now I'm using Chrome 71 (and Firefox 65) on macOS without problems. What OS/Chrome are you using? Could you include relevant output from the Chrome console? |
|
This is on Windows 10, both using Chrome 72.0.3626.109 and Firefox 65.0.1. Was able to reproduce on two machines. The Chrome console gives the following output: (index):1 Failed to find a valid digest in the 'integrity' attribute for resource 'http://192.168.1.10:3002/css/bootstrap.min.css' with computed SHA-256 integrity 'O+tIQpqELVwzC5tMwKUYZS4eyhYSH0C9wdTEHk/xoIw='. The resource has been blocked. |
|
it is up to the devs, to build an automatic function into the build script, will figure out this and will make a pull request |
|
@Styco Thanks for that log output. It's suspicious that the error messages mention SHA-256 integrity, considering that most of the hashes are specified as SHA-384. |
… modified (minified?) before being hashed in some situations
|
@Styco I don't feel confident in this solution, but if you can please let me know if d3ef035 fixes the problem for you. The idea here is that the CSS/JS files may in some way be modified (such as by being automatically minified) when transferred over HTTP as is the case in your setup (when accessed via HTTPS this behavior is not possible), therefore leading to different hashes. |
|
No, that did not fix it. Same issue occurs. |
|
Thanks for the update. I just got set up with a Windows 10 VM and I'm able to reproduce the issue. At the moment I believe the root cause may be line-ending differences between Windows/Unix. Using |
|
Cool, let me know if you need additional testing/feedback! |
|
Yes, I tested it and can confirm that this fix works! |
|
Great! Thanks for testing for me. |
I set up the latest version of btc-rpc-explorer today, and experienced some issues with the web interface. After pulling up the Chrome console, it appears that various files failed the SHA-384 integrity check. The following files failed to load:
/css/bootstrapmin.css
/js/jquery.min.js
/js/popper.min.js
/js/bootstrap.min.js
/js/highlight.min.js
I temp-fixed it locally by replacing the hashes with an empty string in /views/layout.pug, but it seems like the hashes need to be recomputed and replaced?
The text was updated successfully, but these errors were encountered: