Joomla! Issue Tracker | Joomla! CMS #28557 - [4.0] Script/Style hash validation broken

Closed
18 Apr 2020
Medium
Build: staging
# 28557

wilsonge
3 Apr 2020

Steps to reproduce the issue

@SharkyKZ found the reason here: #26505 (comment)

Since #25357 rendered scripts/styles have formatting added to them. But the hash is generated from scripts/styles without formatting. So the hashes don't match scripts/styles that appear on the page.

Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:

joomla-cms/libraries/src/Document/Renderer/Html/HeadRenderer.php

Line 231 in 56d8a35

$buffer .= $tab . $tab . '/*<![CDATA[*/' . $lnEnd;

Expected result

CSP Script hashes work

Actual result

They don't

wilsonge - open - 3 Apr 2020

joomla-cms-bot - change - 3 Apr 2020

Labels

Added: ? ?

joomla-cms-bot - labeled - 3 Apr 2020

zero-24 - comment - 18 Apr 2020

Ok found the real reason for this. It has nothing todo with the CDATA stuff but with the $tab and $lnEnd stuff. I'm working on a patch

zero-24 - comment - 18 Apr 2020

Please see: #28719

zero-24 - close - 18 Apr 2020

zero-24 - change - 18 Apr 2020

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2020-04-18 09:55:54
Closed_By		⇒	zero-24

zero-24 - change - 18 Apr 2020

Labels

Removed: ?

zero-24 - unlabeled - 18 Apr 2020

zero-24 - comment - 18 Apr 2020

Just for a note

Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:

We only run CSP on HTML pages so this CDATA stuff was not the reason.

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#28557] - [4.0] Script/Style hash validation broken

Steps to reproduce the issue

Expected result

Actual result

Add a Comment