Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failed to find a valid digest in the 'integrity' attribute for resource #564

Open
TommasoAmici opened this issue Feb 25, 2021 · 11 comments
Open

Comments

@TommasoAmici
Copy link

I'm trying to add Offen to my sites and I'm hitting some blocks:

My setup

I pulled the latest version of Offen from docker hub.

offen.mttaudio.com ---> nginx --> offen docker image
www-pre.mttaudio.com -> nginx --> web app process

Errors

  1. www-pre.mttaudio.com/:1 Refused to display 'https://offen.mttaudio.com/vault/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

If I remove the X-Frame-Options completely this goes away, is there a way for me to keep this?

  1. If I do remove the X-Frame-Options header, then Offen loads but throws these two errors (they also come out when visiting the Offen Auditorium)
Failed to find a valid digest in the 'integrity' attribute for resource 'https://offen.mttaudio.com/vault/vendor-cdc94dde8f.js' with computed SHA-256 integrity '7h+DJVtMpNr1FVMcCV2spIwSjnKvTKLBR8VCunEO6IE='. The resource has been blocked.

Failed to find a valid digest in the 'integrity' attribute for resource 'https://offen.mttaudio.com/vault/index-405319a057.js' with computed SHA-256 integrity 'EUQKQfu5yNZ7NP1VpXeomJrtWqIK1E3GMHeGFRUcC+s='. The resource has been blocked.
@m90
Copy link
Member

m90 commented Feb 25, 2021

If I remove the X-Frame-Options completely this goes away, is there a way for me to keep this?

Offen relies heavily on the security/isolation perks we get from running parts of it in an iframe so there is no way to "unbox" it in any way. If you're ok with that I think you could two things here other than removing the header entirely:

If I do remove the X-Frame-Options header, then Offen loads but throws these two errors (they also come out when visiting the Offen Auditorium)

At the time of writing, I can visit https://offen.mttaudio.com/ and do not see any of these errors (both in Chrome and Firefox). It's very mysterious because these scripts do have an integrity attribute, but the content hash uses sha-384 when the error message says it expects SHA-256 (and also the hashed displayed in the error message differ from what's on the script tags):

~ curl https://offen.mttaudio.com/vault/
<!DOCTYPE html><html><head>
<title>Offen vault</title>
<meta charset="utf-8">
</head>
<body>
<div id="host"></div>
<script src="./vendor-cdc94dde8f.js" integrity="sha384-a0MdZwqOjDjC+xI3/t9a/4G50xx7he8SS7P6KCK/zqrWVRFEV0h0IArjSe/qQcts" crossorigin="anonymous"></script>
<script src="./index-405319a057.js" integrity="sha384-kZ76R2bZkYOhXotKNPhTD7qhCBdA6Q6EIeMmFFbCGp1CPLOLamc+Zgk5Yr7vwfp6" crossorigin="anonymous"></script>
</body></html>

which has me wondering if this is related to your browser / setup? What browser are you using and do you have any extensions installed that could be influencing this?

Another thing that might be of interest if you have any additional security related headers set or use an inline Content-Security-Policy?

@TommasoAmici
Copy link
Author

I'm getting it on all browsers on my MacBook and on my girlfriend's MacBook as well.

Chrome Version 88.0.4324.192 (Official Build) (x86_64)
Safari Version 14.0.3 (16610.4.3.1.4)
Firefox 87.0b2 (64-bit)

This is the CSP I've set:

Content-Security-Policy

default-src 'self'; 
script-src 'self' js.stripe.com/v3 offen.mttaudio.com;
style-src 'self' 'unsafe-inline';
object-src 'none';
base-uri 'self';
connect-src 'self';
font-src 'self';
frame-src 'self' js.stripe.com offen.mttaudio.com;
frame-ancestors 'self' js.stripe.com offen.mttaudio.com;
img-src 'self';
manifest-src 'self';
media-src 'self';
worker-src 'none';

use X-Frame-Options: allow-from https://offen.mttaudio.com/ (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)

Thanks for this tip, it works correctly!

@TommasoAmici
Copy link
Author

As extra info: my offen.env looks like this

OFFEN_SECRET="mysecretkey=="

OFFEN_SERVER_REVERSEPROXY=true

OFFEN_SMTP_HOST="my.mail.server"
OFFEN_SMTP_USER="my@address.com"
OFFEN_SMTP_PASSWORD="mypassword"
OFFEN_SMTP_PORT="587"

@m90
Copy link
Member

m90 commented Feb 25, 2021

Ok, so this is really really strange and I'm a little stumped. I'm on Linux where I can use Offen installed on https://www-pre.mttaudio.com/ just fine across all browsers. When I use Browserstack however I can reproduce the error in both MacOS and Windows. What makes no sense however is that I can use the version of Offen that is installed on https://www.offen.dev (which is not exactly 0.3.0 but very close and no changes in the hashing mechanism since then) just fine in these Browserstack versions as well as on my local machine. What currently makes no sense to me at all is that the error message is talking about a different hash algorithm and uses a different hash value than what is on the script tag?

Your offen.env looks just fine.

I will try to dig into this further and will let you know what I come up with once I can reproduce the issue myself.

@m90
Copy link
Member

m90 commented Feb 25, 2021

I also just tested a few random Offen installations i know of in Browserstack and couldn't reproduce the issue anywhere so it's likely related to your specific setup.

I wonder if the Cloudflare proxy you seem to be using could be involved here?

@TommasoAmici
Copy link
Author

I'm going to disable it and see if that's causing these issues

@TommasoAmici
Copy link
Author

Yes! That was it!

@m90
Copy link
Member

m90 commented Feb 25, 2021

Glad you got it working although it's still very mysterious.

For the record these were the headers sent when you were still behind Cloudflare:

➜  ~ curl -I https://offen.mttaudio.com/vault/                                                                                                                                                             
HTTP/2 200                                                                                                                                                                                                 
date: Thu, 25 Feb 2021 16:58:26 GMT                                                                                                                                                                        
content-type: text/html; charset=utf-8                                                                                                                                                                     
set-cookie: __cfduid=dee5b4182b4d36298c83f6ddd22c84e061614272306; expires=Sat, 27-Mar-21 16:58:26 GMT; path=/; domain=.mttaudio.com; HttpOnly; SameSite=Lax; Secure                                        
vary: Accept-Encoding                                                                                                                                                                                      
cache-control: no-cache                                                                                                                                                                                    
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:                                                                                                        
last-modified: Sun, 31 Jan 2021 19:52:40 GMT                                                                                                                                                               
referrer-policy: origin-when-cross-origin                                                                                                                                                                  
strict-transport-security: max-age=15768000                                                                                                                                                                
vary: Accept-Encoding                                                                                                                                                                                      
x-content-type-options: no-sniff                                                                                                                                                                           
x-xss-protection: 1; mode=block
x-cache-status: MISS
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: default-src 'self' http: https: data: blob: 'unsafe-inline'
cf-cache-status: DYNAMIC
cf-request-id: 087bb9b6960000dfeb0dac1000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Zy6okFisDSxrTfQhVqXWxE1kjYs%2FFiQT5L9AhIOVWdawh7SciTFAKVXVYvIhGzYKGeAuNXDH61uuX6gsO1oJx6jGSBiKHNvour85TadG3f%2B%2BySm5kspD0MlNcixuZWI%3D"}]}
nel: {"max_age":604800,"report_to":"cf-nel"}
server: cloudflare
cf-ray: 6272f89db9c6dfeb-FRA
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

I guess I'll do two things now:

  • raise an issue with Cloudflare (dunno if that is successful usually)
  • get a test setup working where I can repro the issue and see if using a SHA-256 or SHA-512 hash instead works in this context

I will also update the docs to mention the X-Frame-Options setting you mentioned. Thanks for raising this.

@m90
Copy link
Member

m90 commented Feb 25, 2021

m90 added a commit that referenced this issue Feb 25, 2021
m90 added a commit that referenced this issue Feb 26, 2021
@m90
Copy link
Member

m90 commented Feb 26, 2021

Here's some advice from the Cloudflare forum that sounds like it might be causing the issue:

Having Rocket Loader enabled? If yes, try disabling it.
Moreover, check and try disabling CSS and JS Minify at Cloudflare dashboard.

@TommasoAmici
Copy link
Author

As I said in the Cloudflare thread

Having Rocket Loader enabled? If yes, try disabling it.

Rocket Loader was disabled

Moreover, check and try disabling CSS and JS Minify at Cloudflare dashboard.

I did have CSS and JS minify active, but after disabling the option nothing changed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants