SRI enabled requests: jQuery not loaded on local file:/// serving

[dlaugt]

Problem

I'm testing sphinx-rtd-theme 1.2.0rc3 with sphinx 6.1.3. The search never ends. The search page displays "Searching" with blinking "..." forever. The problem still persists if I add "sphinx_rtd_theme" in "extensions" as mentioned in 6444ca8.

However, the search works fine if I'm using the default sphinx theme.

Error Logs/Results

Environment Info

• Python Version: 3.10.8
• Sphinx Version: 6.1.3
• RTD Theme Version: 1.2.0rc3

[dlaugt]

The search works when I remove inside the search page the integrity attribute on jquery and _sphinx_javascript_frameworks_compat scripts:

        <script integrity="sha384-vtXRMe3mGCbOeY7l30aIg8H9p3GdeSe4IFlP6G8JMa7o7lXvnz3GFKzPxzJdPfGK" src="_static/jquery.js"></script>
        <script integrity="sha384-lSZeSIVKp9myfKbDQ3GkN/KHjUc+mzg17VKDN4Y2kUeBSJioB9QSM639vM9fuY//" src="_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script>
        <script src="_static/doctools.js"></script>
        <script src="_static/sphinx_highlight.js"></script>
    <script src="_static/js/theme.js"></script>
    <script src="_static/searchtools.js"></script>
    <script src="_static/language_data.js"></script>

I have very little knowledge in html stuffs. I have the feeling that integrity attribute is useful for external resources (e.g. resources defined with an external location via https, http, etc) and not for local resources like here. Note, that the other JavaScript resources (like _static/documentation_options.js, _static/doctools.js, etc) have no integrity attribute.

[benjaoming]

Thanks for reporting this 💯

I'm very surprised at how this bug dodged several rounds of testing.

It's likely that it can be solved by using sphinxcontrib-jquery 2.0.0 since this version didn't have the integrity attributes.

I'll submit a PR for sphinxcontrib-jquery to add crossorigin="anonymous", in case this works.

It seems like browsers consider anything on the file as a "cross-origin", even though the path is relative. I'm not sure about what's in it for security here... but for other purposes, I think that an integrity check on assets will always make sense.

As much as we do not know the destination of build outputs during build time (will they be displayed via file:// or upload to a webserver? 🤷), we also do not know what happens to assets -- will they be handled through a different cache layer?

[dlaugt]

Thanks for taking care of this. I've tried to add crossorigin="anonymous" but it didn't work for me. On my side, the documentation is not served by any webserver. I'm just opening the file index.html from a chrome browser (version 109.0.5414.75).

search.html:

        <script integrity="sha384-vtXRMe3mGCbOeY7l30aIg8H9p3GdeSe4IFlP6G8JMa7o7lXvnz3GFKzPxzJdPfGK" crossorigin="anonymous" src="_static/jquery.js"></script>
        <script integrity="sha384-lSZeSIVKp9myfKbDQ3GkN/KHjUc+mzg17VKDN4Y2kUeBSJioB9QSM639vM9fuY//" crossorigin="anonymous" src="_static/_sphinx_javascript_frameworks_compat.js"></script>

errors:

[benjaoming]

You are right, and it seems like there isn't any documentation about this behavior. It also seems to me that the error message in the browser isn't correct. https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

In any case, this seems to be a dead-end for integrity checks. I'll ask to have them rolled back in sphinxcontrib-jquery.

[benjaoming]

It also seems to me that the error message in the browser isn't correct.

I should elaborate what I meant by that. I'm getting this error:

“file:///home/user/sphinx_rtd_theme/docs/build/html/_static/_sphinx_javascript_frameworks_compat.js” is not eligible for integrity checks since it’s neither CORS-enabled nor same-origin.

I think this error from Firefox indicates that something is neither fully designed nor implemented (pun intended).