Open Bug 1834808 Opened 6 months ago Updated 5 months ago

Local script override breaks SRI


(DevTools :: Debugger, defect, P3)



(Not tracked)


(Reporter: denschub, Unassigned)


(Blocks 1 open bug)



(1 file)


  1. Open this testcase, which is also attached.
  2. Observe that the body contains a "hello, world!" message
  3. Open the JS Debugger, search the main.js script in the sidebar, add a script override
  4. Save the file without any changes
  5. Reload


The testcase should still work fine.


JS fails. In the console, you can see

“data:application/x-javascript;base64,...” is not eligible for integrity checks since it’s neither CORS-enabled nor same-origin.

and even if the resource would be eligible for SRI checks, they'd fail as soon as you change the contents of that script file, so it would be best to turn off SRI checks at all for scripts with local overrides.

I'll note that I have yet experience this as an actual issue while doing diagnosis work, and Tom has only seen it once. I'm filing this primarily to not forget about this, but this probably has low priority.

I will, however, also note that cdnjs generates <script> tags that have both a CORS-attribute and an integrity attribute by default.

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.