failed to find a valid digest in the 'integrity' attribute? #297
Comments
|
Hello, Yes, I think it is caused by the latest changes in RC.4 where we have enabled strict CSP by default to enforce good security practices. Take a look at following resources to learn more about Integrity
@vejja maybe we could add migration guide for this issue to Release Notes? |
|
Makes sense. Yes, maybe a migration guide would be helpful - though maybe it makes sense that I should expect it to have breaking changes since I was on the RC. :) But maybe the bigger problem is that I'm not sure that the feature is working right? That first article says "Nuxt Security automatically computes the integrity hash of each static asset (scripts, stylesheets, etc.) that are bundled in your Nuxt Application, and then inserts this value in the resulting HTML file." I'm pretty sure the failing files were all CSS & JS that are generated by my Nuxt application. Here's the screenshot with less obfuscated:
|
|
We are trying our best not to include any breaking changes but sometimes it is just not possible. There we also try to add migration guides to make migration easier. At this point, if after upgrading, you encounter an issue that is blocking the applciation you can either stay at 1.0.0-rc.3 version or disable Subresource Integrity for now (security.sri: false) Me and @vejja will try to find the solution in the meantime :) |
|
@georgesaliba Can you tell me what is the value of the integrity attribute of your |
|
@vejja How can I find that? I think that file is dynamically constructed by Nuxt, the issue only occurred when I tried to ship the code into production (didn't repro locally), and I had to quickly roll it back because it caused the whole site to go down. So even if I knew how to calculate it, would I have to cause another live site outage to find that value, or is there a less impactful way? |
|
You're right... For now I think the safest thing to do is to set Is there a way you could build locally without deploying ? If not : I am trying to understand why the calculated integrity hash differs from the one you deliver in production. |
|
Yes, I can run build locally. But not sure how to find the integrity. I tried the fourth option command from Baroshem's second link above on my generated file, and it gave me a hash of wsVcd+MufiHE2rN83nQXLvySQzpPqUfo/pALNeuhqmHpP/M9kO0/4Yw8IVkyvW7g - but I'm not sure what the production one is (the code has changed since the outage). I'm guessing I'd have to deploy again to find it? Also assuming if I were to deploy with sri: false, I could then just download the file from my production server and run the same command to see if it's the same? There's a big launch today, so I probably won't be able to experiment with it this weekend, but maybe I can try this in the middle of the night sometime next week. To answer your question, my stack is all based in Google Cloud, fronted by Cloudflare. So the static files are hosted by Google Firebase and dynamic bits are served by Google Cloud Functions, and Cloudflare caches various things for different periods. I'm not aware of any sort of minification or such happening post build, but I guess I wouldn't be shocked if either Google or Cloudflare was trying to optimize in some way, adding additional headers, etc. |
|
Ok thank you very much for the explanation. You will find the integrity hash in the One thing that you can do without risking another redeploy, is to save this I would want to understand if they are similar or if there are any differences. You can do a simple diff in the terminal to find out. Totally understand that you probably don't have so much time to do that this kind of research, but if you manage to get the information it would be extremely helpful. |
|
I assume there's no way to get the matching values on a local machine, eh? This is the local HTML I see, but it doesn't have this integrity value: But it also doesn't include the URL hash, so I'm guessing it's just a dev-only version, and wouldn't match my prod env entirely. Once I'm able to redeploy to prod I'll try to follow the steps you mentioned to see if I can get the right value. Oh, I also didn't answer you earlier question - the site is a mix of SSR and SPA. |
|
Yes this is a dev build, but weird that you don’t have integrity there
|
|
@georgesaliba could you verify if the issue still occurs? I would like to release a new version this week and if this issue appears for more use cases, then we have to fix it before releasing the stable 1.0.0 version |
|
So I was able to deploy to production with sri: false and it didn't bring the site down. However, I also don't see the integrity in the production HTML (maybe as a result of the sri being false?). |
|
So if I understand correctly, when sri is set to true (which is by default) your site does not work correctly? |
|
Yes, exactly. None of the generated JS or CSS files load.
…On Sun, Nov 19, 2023 at 11:26 PM Jakub Andrzejewski < ***@***.***> wrote:
So if I understand correctly, when sri is set to true (which is by
default) your site does not work correctly?
—
Reply to this email directly, view it on GitHub
<#297 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALJFF7ER3WG525IEK5SH4TYFMAZFAVCNFSM6AAAAAA7O5LRLGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJYGM3TANRXGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I personally cannot reproduce it unfortunately and when I was testing it before releasing and after the release the default SRI was not causing any problems for me. @georgesaliba Could you provide us with more info about your config? TBH, I have no idea what could be causing it so any information you could give us would help us solve the issue. Also, have you tried this from @vejja ? #297 (comment) |
Right, One thing you could do, now that you have redeployed, is to |
|
So I can see there are differences, and it looks like something is slightly minifying the production file, removing unneeded whitespace: 
Or this extra line feed at the end of the file: Sure enough, if I go into Cloudflare, I can see that it has auto-minify turned on for CSS & JS. I'd bet that's the culprit - thanks guys! |
|
@georgesaliba Thanks for verifying that. Would you be able to disable this css/js minify for a while to see if it makes the Nuxt Security 1.0.0-rc.4 work? This is currently our main blocker for releasing 1.0.0 version :( |
|
I disabled the minification at Cloudflare and flushed my cached, but I'm still seeing slightly modified minified files. Not yet sure if it's just caching (files could be cached in some of the data centers even after flushing) or if there's something else in the stack that might be minifying the file. But I need to get the files matching first or redeploying with SRI enabled would guarantee an outage. |
|
I see. Lets reschedule the 1.0.0 stable release until I am back from vacation ~1st december. |
|
So the cache appears to have flushed, and there are far fewer modifications to the files in production vs. pre-deployment. However, they're still different. It appears something is changing the space character. I'm not sure if it's part of some post-build deployment step (not intentional on my part if so), or some optimization by Google or Cloudflare, or just a result of different systems. But the space characters in the following are different, even though they look the same: 
Digging into it, my local pre-deployed version is just a space character (20), while the post-deployed production version is a non-breaking space (c2 a0). |
|
Yes, this might be related to 2 different systems used for building. |
|
Nope, don't think I have a way to do that. |
|
Ok |
|
@vejja No, I literally just run |
Ok I get it. But then there should be no differences between your local build and the Firebase deployed files, so that's the worse-case scenario from my perspective... Is there anything specific about your I am asking because
In other words, I'm trying to have a detailed picture of who is serving your files. |
|
Sorry forget my previous comment, I misread what you said which was: "a mix of SSR and SPA." In which case I do believe you should be fine. |
|
PR #304 adds a section in Documentation about Post-Build Processing. |
I recently updated to rc4 and all users got the following error when I deployed to production:
Is this related to the update? Is it a bug, or would there be a changelog somewhere that would indicate what changes I might need to make?
The text was updated successfully, but these errors were encountered: