?
avatar wilsonge
wilsonge
3 Apr 2020

Steps to reproduce the issue

@SharkyKZ found the reason here: #26505 (comment)

Since #25357 rendered scripts/styles have formatting added to them. But the hash is generated from scripts/styles without formatting. So the hashes don't match scripts/styles that appear on the page.

Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:

$buffer .= $tab . $tab . '/*<![CDATA[*/' . $lnEnd;

Expected result

CSP Script hashes work

Actual result

They don't

avatar wilsonge wilsonge - open - 3 Apr 2020
avatar joomla-cms-bot joomla-cms-bot - change - 3 Apr 2020
Labels Added: ? ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 3 Apr 2020
avatar zero-24
zero-24 - comment - 18 Apr 2020

Ok found the real reason for this. It has nothing todo with the CDATA stuff but with the $tab and $lnEnd stuff. I'm working on a patch

avatar zero-24
zero-24 - comment - 18 Apr 2020

Please see: #28719

avatar zero-24 zero-24 - close - 18 Apr 2020
avatar zero-24 zero-24 - change - 18 Apr 2020
Status New Closed
Closed_Date 0000-00-00 00:00:00 2020-04-18 09:55:54
Closed_By zero-24
avatar zero-24 zero-24 - change - 18 Apr 2020
Labels Removed: ?
avatar zero-24 zero-24 - unlabeled - 18 Apr 2020
avatar zero-24
zero-24 - comment - 18 Apr 2020

Just for a note

Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:

We only run CSP on HTML pages so this CDATA stuff was not the reason.

Add a Comment

Login with GitHub to post a comment