New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 698240 link

Starred by 2 users
Status: Duplicate
Merged: issue 677022
Owner:
y...@yoav.ws
Last visit > 30 days ago
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

When CSS files have an SRI attribute they are downloaded twice.

Reported by scott.he...@gmail.com, Mar 3 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce the problem:
1. Add a valid integrity attribute to a css file.
2. Load the page.
3. Observer the network tab in dev tools.

What is the expected behavior?
The file should not be loaded twice.

What went wrong?
For some reason the files seem to be loaded twice. I haven't had time to investigate why, there are no error messages about integrity checks failing for example, but SRI is a security mechanism so I added the security flag.

If it doesn't turn out to be a security issue please feel free to remove the flag.

I found out about the bug from a comment on Troy Hunt's blog: https://www.troyhunt.com/protecting-your-embedded-content-with-subresource-integrity-sri/#comment-3183394805

I've attached screenshots of the network tab for my site on both Firefox and Chrome. Chrome is loading all SRI protected CSS files twice, Firefox is not. My site: https://scotthelme.co.uk

Did this work before? Yes 

Chrome version: 56.0.2924.87  Channel: stable
OS Version: 10.0
Flash Version:

Comment 1 by elawrence@chromium.org, Mar 3 2017

Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Untriaged (was: Unconfirmed)
Summary: When CSS files have an SRI attribute they are downloaded twice. (was: When CSS files have an SRI attribute they are loaded twice.)
This is a possible bug in a security feature, but no claim of a vulnerability is present.

Comment 2 by mkwst@chromium.org, Mar 6 2017

Components: Blink>Loader
Labels: OS-Android OS-Chrome OS-Linux OS-Mac
Owner: y...@yoav.ws
Status: Assigned (was: Untriaged)
Scott: Do you see this in Canary?

yoav@: I think you were looking at something for `<link>`?

Comment 3 by y...@yoav.ws, Mar 6 2017

Mergedinto: 677022
Status: Duplicate (was: Assigned)
Yeah, this is something we see with SRI, where it cannot properly handle resources that are taken out of MemoryCache.

Comment 4 by scott.he...@gmail.com, Mar 6 2017 

Yeah, I still see this on Canary. 

I'm not sure if this is something to do with loading from memory like the other issue suggests. The attached screenshot is a fresh install of Canary (never installed on this machine) and the first page it loaded was my blog and I still saw the double downloading of assets. Both of the requests show network activity and a 200 status.
canary.png
110 KB View Download

Comment 5 by scott.he...@gmail.com, Mar 6 2017 

An empty cache and hard reload showed them with a size in a subsequent load, unlike the 0 byte size above.
canary-2.png
106 KB View Download

Comment 6 by y...@yoav.ws, Mar 6 2017 

I believe it's the same issue. The preloadScanner is downloading the resource and putting it in MemoryCache. Then the DOM node for the resource is created, fails to grab the resource from MemCache and downloads it again (potentially getting it from the disk cache, if the resource is cacheable)

Sign in to add a comment