1938307 - Show more details for "None of the sha512 hashes match the integrity..." error

Status: RESOLVED FIXED

(Core :: DOM: Security, enhancement)

Description

[Jan Honza Odvarko [:Honza] (always need-info? me)]

Originally reported on Connect: https://connect.mozilla.org/t5/ideas/show-more-details-for-quot-none-of-the-sha512-hashes-match-the/idi-p/79310

I usually use firefox to develop my website and then move it over to chrome.
I noticed this issue with Firefox.
It does not give a detailed enough error message to properly debug the issue.

Most websites will have quite a few script/link tags, so it is very tedious to manually check the hash of each one.

In chrome, it simply gives you the URL for the resource that failed the hash check.
Firefox should update this to give some more details (ie. the path).

In firefox:
" None of the “sha512” hashes in the integrity attribute match the content of the subresource. The computed hash is “..." app_name"

In chrome:
Failed to find a valid digest in the 'integrity' attribute for resource 'url_to_file' with computed SHA-512 integrity '...'. The resource has been blocked. app_name

Comment 1

[Nicolas Chevobbe [:nchevobbe]]

This is where the message is defined https://searchfox.org/mozilla-release/rev/d8f30fc43d8a411937b53bb95eb9555356e9bcb8/dom/locales/en-US/chrome/security/security.properties#62

I'll ask Tom if we could also include the URL in the message when he's back

Comment 2

[Tom Schuster (MoCo)]

Attachment: Bug 1938307 - Include the resource URI for failed SRI checks. r?freddyb

Comment 3

[Pulsebot]

Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5c0817645bdf
Include the resource URI for failed SRI checks. r=freddyb

Comment 4

[pstanciu]

https://hg.mozilla.org/mozilla-central/rev/5c0817645bdf