Local script override breaks SRI
Categories
(DevTools :: Debugger, defect, P3)
Tracking
(Not tracked)
People
(Reporter: denschub, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
680 bytes,
application/zip
|
Details |
STR:
- Open this testcase, which is also attached.
- Observe that the body contains a "hello, world!" message
- Open the JS Debugger, search the
main.jsscript in the sidebar, add a script override - Save the file without any changes
- Reload
Expected:
The testcase should still work fine.
Actual:
JS fails. In the console, you can see
“data:application/x-javascript;base64,...” is not eligible for integrity checks since it’s neither CORS-enabled nor same-origin.
and even if the resource would be eligible for SRI checks, they'd fail as soon as you change the contents of that script file, so it would be best to turn off SRI checks at all for scripts with local overrides.
I'll note that I have yet experience this as an actual issue while doing diagnosis work, and Tom has only seen it once. I'm filing this primarily to not forget about this, but this probably has low priority.
I will, however, also note that cdnjs generates <script> tags that have both a CORS-attribute and an integrity attribute by default.
|
||
Comment 1•1 years ago
|
||
We probably need a bail out in case of script override over there:
https://searchfox.org/mozilla-central/rev/a4fd6daad3a4123d995478467c1274653b283801/dom/security/SRICheck.cpp#336-338
Or... reset nsIHttpChannelInternal.integrityMetadata, but I suspect it may not be enough:
https://searchfox.org/mozilla-central/rev/a4fd6daad3a4123d995478467c1274653b283801/netwerk/protocol/http/nsIHttpChannelInternal.idl#408
|
||
Updated•1 years ago
|
|
||
Comment 2•10 months ago
|
||
I came across this when trying to add an override for a js file for Snapchat web in bug1829758.
...
<script defer="defer" src="https://cf-st.sc-cdn.net/dw/e41b4fa927f08042aae1.js" integrity="sha384-NGo9RJSNo5HxnsjPeTdvDdpPf+7TonmTIuQZcktoEuxK9oLS48By63RPKDJPkiHN" crossorigin="anonymous"></script>
<script defer="defer" src="https://cf-st.sc-cdn.net/dw/7c79e428a9c4f60e632e.js" integrity="sha384-zHpeyVB9SD7JaH8OB1VYA9fxxMkyzo1Qg5CB3FdifC8SN26WE58Ja8O12SswFT9k" crossorigin="anonymous"></script>
A possible workaround is to add an override for the html file and remove integrity attribute, but that depends on bug1849920, I believe.
|
|
||
Comment 3•5 months ago
|
||
I was testing this with another approach to override scripts, reusing Channel's setResponseOverride added by Bug 1900375. It somehow fixes those STRs, because we just replace the response body of the script by something identical. But as soon as you change the script (which is the goal), then the SRI check fails.
So either we fix bug 1849920 (which should be possible thanks to setResponseOverride), or we need to relax the SRI checks when the response is overridden by devtools.
Description
•