@SharkyKZ found the reason here: #26505 (comment)
Since #25357 rendered scripts/styles have formatting added to them. But the hash is generated from scripts/styles without formatting. So the hashes don't match scripts/styles that appear on the page.
Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:
CSP Script hashes work
They don't
Labels |
Added:
?
?
|
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-04-18 09:55:54 |
Closed_By | ⇒ | zero-24 |
Labels |
Removed:
?
|
Just for a note
Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:
We only run CSP on HTML pages so this CDATA stuff was not the reason.
Ok found the real reason for this. It has nothing todo with the CDATA stuff but with the $tab and $lnEnd stuff. I'm working on a patch