Closed
Bug 1426765
Opened 7 years ago
Closed 7 years ago
JS script from Github enterprise blocked by SRI
Categories
(Core :: DOM: Security, enhancement)
Core
DOM: Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: francois, Unassigned)
Details
Attachments
(1 file)
|
246.62 KB,
application/x-javascript
|
Details |
We've received a report that some of the JS resources in Github enterprise get blocked by SRI in Firefox, but not in Chrome: https://github.com/webcompat/web-bugs/issues/14307
|
Reporter | |
Comment 1•7 years ago
|
||
Here is the script element from the page HTML:
<script crossorigin="anonymous" integrity="sha256-m+J/NoR59Mraotv0ZCx5ia+sOW1sYew+xBEqoK0klKs=" src="https://assets.github.factset.com/assets/frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.js"></script>
along with the JS file which does hash to the value in the HTML:
$ openssl dgst -sha256 -binary frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.js | openssl base64 -A
m+J/NoR59Mraotv0ZCx5ia+sOW1sYew+xBEqoK0klKs=
|
||
Updated•7 years ago
|
Flags: needinfo?(fbraun)
|
|
||
Comment 2•7 years ago
|
||
Freddy: since Francois is still on PTO, any idea what could be going on here?
|
||
Comment 3•7 years ago
|
||
It seems to me that the bug isn't about the file but much rather about how the file is delivered to Firefox. I know we had problems with various transport encodings, in the past. Maybe there are other encodings that are used less widely which will trigger similar problems? I'd have to get access to a GitHub enterprise instance to nail this down. SRI debug logs and a decrypted traffic dump would help as well. Instructions on how to get SRI debug logs below: How to test: 1) run Firefox with an environment variable MOZ_LOG="SRI:4" 2) collect log output from stdout and attach to this bug
Keywords: testcase-wanted
|
|
||
Updated•7 years ago
|
Flags: needinfo?(fbraun)
|
||
Comment 4•7 years ago
|
||
Some things that might help debug this: * What version of GitHub Enterprise is this? * Try perform the SHA256 calculation using the file downloaded using Firefox (rather than wget). * When you download the file using Firefox, provide the full request/response headers (minus any sensitive cookies) I quickly did a search and do not see this reported more broadly internally. But, I will look in a few more spots later today.
|
|
||
Comment 5•7 years ago
|
||
I downloaded Firefox 58.0b15 for Mac and I was able to access a copy of GitHub Enterprise 2.12.1 with no problems.
|
||
Comment 6•7 years ago
|
||
Answers: * What version of GitHub Enterprise is this? A: This is github enterprise 2.11 I checked the network tab while loading the github.factset.com and searched for any .css the request headers are as follows Accept text/css,*/*;q=0.1 Accept-Encoding gzip, deflate, br Accept-Language en-US,en;q=0.5 Cache-Control no-cache Connection keep-alive DNT 1 Host assets.github.factset.com Origin https://github.factset.com Pragma no-cache Referer https://github.factset.com/ User-Agent Mozilla/5.0 (Windows NT 6.1; W…) Gecko/20100101 Firefox/58.0 But response is none. All i see is a security error: assets.github.factset.com uses an invalid security certificate.The certificate is not trusted because the issuer certificate is unknown.The server might not be sending the appropriate intermediate certificates.An additional root certificate may need to be imported.Error code: SEC_ERROR_UNKNOWN_ISSUER Is this the cause of the issue? why is the certificate alright in chrome?
|
|
||
Comment 7•7 years ago
|
||
Hmm...so did you have to manually accept the cert when you first accessed `http://github.factset.com`? Might there be some difference between Firefox/Chrome on whether you need to re-accept for subdomains that use the same cert? Can you try manually navigating to `assets.github.factset.com` to see?
|
|
||
Comment 8•7 years ago
|
||
genius!! patrick that worked!! i mean although some bits are still not loaded correctly, at least the website looks closer to normal. thank you very much. I'll try playing around with more of the unsuccessful stuff and see if there are more security exceptions to be added.
|
|
||
Comment 9•7 years ago
|
||
assets.github.factset.com avatars.github.factset.com security exceptions had to be added. Thank you very much guys. now I know what to check first when an intranet page doesn't load correctly. how do i resolve this?
|
|
||
Comment 10•7 years ago
|
||
You either need to get a non-self-signed cert installed on the server or you need to add the self-signed trusted root cert to your cert store so that the browser trusts that cert without having manually add it for each site.
|
|
||
Comment 11•7 years ago
|
||
Thank you so much me_theonlyone and Patrick for jointly resolving this issue! Closing this bug, as it's not in Firefox but an operation problem for the specific GitHub enterprise installation.
You need to log in
before you can comment on or make changes to this bug.
Description
•