New issue
Advanced search Search tips

Issue 660731 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 642928
Owner: ----
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Data Saver breaks subresource integrity

Reported by jleedev@gmail.com, Oct 30 2016

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.28 Safari/537.36

Steps to reproduce the problem:
1. Install Data Saver extension
2. Visit wiki.c2.com

What is the expected behavior?

What went wrong?
The page is broken. Error in console:

Failed to find a valid digest in the 'integrity' attribute for resource 'http://code.jquery.com/jquery-3.1.1.js' with computed SHA-256 integrity 'OTe3j66CKRuT1GCEPhRQ0mIUj42UVz1RVAAav0Lh8vw='. The resource has been blocked.

The script tag is shown below:

<script
  src="http://code.jquery.com/jquery-3.1.1.js"
  integrity="sha256-16cdPddA6VdVInumRGo6IbivbERE8p7CQR3HzTBuELA="
  crossorigin="anonymous">
</script>

The script is minified on the fly by Data Saver extension, which changes the SHA256 hash of the resource. The issue is that subresource integrity for HTTP sites is fundamentally incompatible with a feature which is designed to intercept and modify all the resources on a page.

Did this work before? N/A 

Chrome version: 55.0.2883.28  Channel: beta
OS Version: OS X 10.12.1
Flash Version: 

I can't reproduce this issue on Android.
 
Components: Internals>Network>DataProxy
Mergedinto: 642928
Status: Duplicate (was: Unconfirmed)

Sign in to add a comment