Closed Bug 1743420 Opened 4 years ago Closed 4 years ago

CORS integrity for jQuery 3.6.0 failed in 91.3.0esr (64-Bit)

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 91
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: g.brinkmann, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

Referenced jQuery 3.6.0 minified as provided at https://code.jquery.com/ (in a company internal page)

<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>

Actual results:

Firefox 91.3.0esr (64-Bit) fails to find a valid digest for integrity and blocks the reference because of this.

Note: This does not happen when using for example engines Chrome 95.0.4638.69 or Edge 96.0.1054.34.

Expected results:

The reference as provided at https://code.jquery.com/ should work in Firefox too - I guess.

Component: Untriaged → Security

Hi g.brinkmann,
I don't have the technical knowledge to test this issue on my end, but I see that a component has already been set for this ticket. Let's wait for the Security team to take a look and advice.
Feel free to include any additional information that can help investigate this issue.
Thanks,
Jerónimo.

Flags: needinfo?(sgalich)

FYI: I've tried to reproduce with Firefox 94 & 96 using https://galich.github.io/web-tests/jquery-integrity-cors.html and jQuery loaded as expected.

Component: Security → DOM: Security
Flags: needinfo?(sgalich)
Product: Firefox → Core

Worked for me in Firefox 91.3 on Mac

What error are you actually seeing on the console? "CORS Integrity" doesn't quite make sense. Are you ONLY using the integrity attribute (the Sub-Resource Integrity feature), or are you then trying to use the Hash in a Content-Security-Policy (CSP) script-src directive? The latter is a newer feature of CSP3 that Firefox does not yet support (hashes are only supported for inline scripts and styles).

Flags: needinfo?(g.brinkmann)

Hi,

it's a static plain html file that starts with (see also initial post regarding the script src block)

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="robots" content="noindex, nofollow, none, noarchive, nosnippet, noimageindex, nocache">
<title>page title</title>
<script src="https://code.jquery.com/jquery-3.6.0.min.js"
integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4="
crossorigin="anonymous"></script>

followed by custom css and js.

The console messages are

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://code.jquery.com/jquery-3.6.0.min.js. (Reason: CORS request did not succeed).
None of the “sha256” hashes in the integrity attribute match the content of the subresource. (filename of the page replaced here)

Happens also with 94.0 on a Linux Mint notebook when not accessing the page via our companies fw, proxy, caching.

Does not happen with other browsers as stated in the initial post.

Checking Sergey's test I don't see these messages.

His page starts like

<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8'>
<meta http-equiv='X-UA-Compatible' content='IE=edge'>
<title>jQuery integrity cors check</title>
<meta name='viewport' content='width=device-width, initial-scale=1'>
<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>

Regards,
G.

Flags: needinfo?(g.brinkmann)

Hello,

well, what should I say, can I donate you some beer?

Solved.

It looks like it was just my uMatrix.
I'm not sure if it has been updated during the last days.

I feel so dumb...

Solved as invalid, Regards,
G.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.