Failed to find a valid digest in the 'integrity' attribute for resource

[TommasoAmici]

I'm trying to add Offen to my sites and I'm hitting some blocks:

My setup

I pulled the latest version of Offen from docker hub.

offen.mttaudio.com ---> nginx --> offen docker image
www-pre.mttaudio.com -> nginx --> web app process

Errors

1. www-pre.mttaudio.com/:1 Refused to display 'https://offen.mttaudio.com/vault/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

If I remove the X-Frame-Options completely this goes away, is there a way for me to keep this?

2. If I do remove the X-Frame-Options header, then Offen loads but throws these two errors (they also come out when visiting the Offen Auditorium)

Failed to find a valid digest in the 'integrity' attribute for resource 'https://offen.mttaudio.com/vault/vendor-cdc94dde8f.js' with computed SHA-256 integrity '7h+DJVtMpNr1FVMcCV2spIwSjnKvTKLBR8VCunEO6IE='. The resource has been blocked.

Failed to find a valid digest in the 'integrity' attribute for resource 'https://offen.mttaudio.com/vault/index-405319a057.js' with computed SHA-256 integrity 'EUQKQfu5yNZ7NP1VpXeomJrtWqIK1E3GMHeGFRUcC+s='. The resource has been blocked.

[m90]

If I remove the X-Frame-Options completely this goes away, is there a way for me to keep this?

Offen relies heavily on the security/isolation perks we get from running parts of it in an iframe so there is no way to "unbox" it in any way. If you're ok with that I think you could two things here other than removing the header entirely:

• use X-Frame-Options: allow-from https://offen.mttaudio.com/ (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
• use a Content-Security-Policy that defines a frame-src (there are docs on how to use Offen with a CSP here https://docs.offen.dev/running-offen/embedding-the-script/#using-offen-with-a-content-security-policy)

If I do remove the X-Frame-Options header, then Offen loads but throws these two errors (they also come out when visiting the Offen Auditorium)

At the time of writing, I can visit https://offen.mttaudio.com/ and do not see any of these errors (both in Chrome and Firefox). It's very mysterious because these scripts do have an integrity attribute, but the content hash uses sha-384 when the error message says it expects SHA-256 (and also the hashed displayed in the error message differ from what's on the script tags):

➜  ~ curl https://offen.mttaudio.com/vault/
<!DOCTYPE html><html><head>
<title>Offen vault</title>
<meta charset="utf-8">
</head>
<body>
<div id="host"></div>
<script src="./vendor-cdc94dde8f.js" integrity="sha384-a0MdZwqOjDjC+xI3/t9a/4G50xx7he8SS7P6KCK/zqrWVRFEV0h0IArjSe/qQcts" crossorigin="anonymous"></script>
<script src="./index-405319a057.js" integrity="sha384-kZ76R2bZkYOhXotKNPhTD7qhCBdA6Q6EIeMmFFbCGp1CPLOLamc+Zgk5Yr7vwfp6" crossorigin="anonymous"></script>
</body></html>

which has me wondering if this is related to your browser / setup? What browser are you using and do you have any extensions installed that could be influencing this?

Another thing that might be of interest if you have any additional security related headers set or use an inline Content-Security-Policy?

[TommasoAmici]

I'm getting it on all browsers on my MacBook and on my girlfriend's MacBook as well.

Chrome Version 88.0.4324.192 (Official Build) (x86_64)
Safari Version 14.0.3 (16610.4.3.1.4)
Firefox 87.0b2 (64-bit)

This is the CSP I've set:

Content-Security-Policy

default-src 'self'; 
script-src 'self' js.stripe.com/v3 offen.mttaudio.com;
style-src 'self' 'unsafe-inline';
object-src 'none';
base-uri 'self';
connect-src 'self';
font-src 'self';
frame-src 'self' js.stripe.com offen.mttaudio.com;
frame-ancestors 'self' js.stripe.com offen.mttaudio.com;
img-src 'self';
manifest-src 'self';
media-src 'self';
worker-src 'none';

use X-Frame-Options: allow-from https://offen.mttaudio.com/ (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)

Thanks for this tip, it works correctly!

[TommasoAmici]

As extra info: my offen.env looks like this

OFFEN_SECRET="mysecretkey=="

OFFEN_SERVER_REVERSEPROXY=true

OFFEN_SMTP_HOST="my.mail.server"
OFFEN_SMTP_USER="my@address.com"
OFFEN_SMTP_PASSWORD="mypassword"
OFFEN_SMTP_PORT="587"

[m90]

Ok, so this is really really strange and I'm a little stumped. I'm on Linux where I can use Offen installed on https://www-pre.mttaudio.com/ just fine across all browsers. When I use Browserstack however I can reproduce the error in both MacOS and Windows. What makes no sense however is that I can use the version of Offen that is installed on https://www.offen.dev (which is not exactly 0.3.0 but very close and no changes in the hashing mechanism since then) just fine in these Browserstack versions as well as on my local machine. What currently makes no sense to me at all is that the error message is talking about a different hash algorithm and uses a different hash value than what is on the script tag?

Your offen.env looks just fine.

I will try to dig into this further and will let you know what I come up with once I can reproduce the issue myself.

[m90]

I also just tested a few random Offen installations i know of in Browserstack and couldn't reproduce the issue anywhere so it's likely related to your specific setup.

I wonder if the Cloudflare proxy you seem to be using could be involved here?

[TommasoAmici]

I'm going to disable it and see if that's causing these issues

[TommasoAmici]

Yes! That was it!

[m90]

Glad you got it working although it's still very mysterious.

For the record these were the headers sent when you were still behind Cloudflare:

➜  ~ curl -I https://offen.mttaudio.com/vault/                                                                                                                                                             
HTTP/2 200                                                                                                                                                                                                 
date: Thu, 25 Feb 2021 16:58:26 GMT                                                                                                                                                                        
content-type: text/html; charset=utf-8                                                                                                                                                                     
set-cookie: __cfduid=dee5b4182b4d36298c83f6ddd22c84e061614272306; expires=Sat, 27-Mar-21 16:58:26 GMT; path=/; domain=.mttaudio.com; HttpOnly; SameSite=Lax; Secure                                        
vary: Accept-Encoding                                                                                                                                                                                      
cache-control: no-cache                                                                                                                                                                                    
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:                                                                                                        
last-modified: Sun, 31 Jan 2021 19:52:40 GMT                                                                                                                                                               
referrer-policy: origin-when-cross-origin                                                                                                                                                                  
strict-transport-security: max-age=15768000                                                                                                                                                                
vary: Accept-Encoding                                                                                                                                                                                      
x-content-type-options: no-sniff                                                                                                                                                                           
x-xss-protection: 1; mode=block
x-cache-status: MISS
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: default-src 'self' http: https: data: blob: 'unsafe-inline'
cf-cache-status: DYNAMIC
cf-request-id: 087bb9b6960000dfeb0dac1000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Zy6okFisDSxrTfQhVqXWxE1kjYs%2FFiQT5L9AhIOVWdawh7SciTFAKVXVYvIhGzYKGeAuNXDH61uuX6gsO1oJx6jGSBiKHNvour85TadG3f%2B%2BySm5kspD0MlNcixuZWI%3D"}]}
nel: {"max_age":604800,"report_to":"cf-nel"}
server: cloudflare
cf-ray: 6272f89db9c6dfeb-FRA
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

I guess I'll do two things now:

• raise an issue with Cloudflare (dunno if that is successful usually)
• get a test setup working where I can repro the issue and see if using a SHA-256 or SHA-512 hash instead works in this context

---

I will also update the docs to mention the X-Frame-Options setting you mentioned. Thanks for raising this.

[m90]

Cloudflare issue lives here https://community.cloudflare.com/t/sri-integrity-check-for-scripts-fails-when-behind-cloudflare-proxy/247630

[m90]

Here's some advice from the Cloudflare forum that sounds like it might be causing the issue:

Having Rocket Loader enabled? If yes, try disabling it.
Moreover, check and try disabling CSS and JS Minify at Cloudflare dashboard.

[TommasoAmici]

As I said in the Cloudflare thread

Having Rocket Loader enabled? If yes, try disabling it.

Rocket Loader was disabled

Moreover, check and try disabling CSS and JS Minify at Cloudflare dashboard.

I did have CSS and JS minify active, but after disabling the option nothing changed