Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subresource Integrity (SRI) 'crossorigin' prop not being written into script tag. Breaks SRI #5

Closed
grempe opened this issue Sep 11, 2016 · 2 comments
Closed

Subresource Integrity (SRI) 'crossorigin' prop not being written into script tag. Breaks SRI #5

grempe opened this issue Sep 11, 2016 · 2 comments

Comments

@grempe
Copy link
Contributor

grempe commented Sep 11, 2016

I am trying the following tag:

<script2 src="https://cdnjs.cloudflare.com/ajax/libs/zxcvbn/4.3.0/zxcvbn.js" integrity="sha384-hfPZ3T7eceGKgB/awoakGSSccX6jYRvOfO3uJYt0+HT1VX1IuRg/4NeOax+WHaQH" crossorigin="anonymous"></script2>

However, in the final DOM output, the crossorigin prop is not being emitted. Copying from the Vue Dev tool on Chrome the following attributes are shown for the script2 tag I see all relevant props (src, integrity, crossorigin) are being set properly:

async: undefined prop
crossorigin: "anonymous"
integrity: "sha384-hfPZ3T7eceGKgB/awoakGSSccX6jYRvOfO3uJYt0+HT1VX1IuRg/4NeOax+WHaQH"
src: "https://cdnjs.cloudflare.com/ajax/libs/zxcvbn/4.3.0/zxcvbn.js"
text: undefined
type: undefined
unload: undefined

But the DOM outputs:

<script src="https://cdnjs.cloudflare.com/ajax/libs/zxcvbn/4.3.0/zxcvbn.js" integrity="sha384-hfPZ3T7eceGKgB/awoakGSSccX6jYRvOfO3uJYt0+HT1VX1IuRg/4NeOax+WHaQH" type="text/javascript"></script>

As you can see, the crossorigin is being dropped and this prevents most uses of SRI from working since in most cases a CORS preflight has to be done (e.g. when loading script from a CDN). The following error is thrown in Chrome when trying to load the page with this script tag:

Subresource Integrity: The resource 'https://cdnjs.cloudflare.com/ajax/libs/zxcvbn/4.3.0/zxcvbn.js' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has been blocked because the integrity cannot be enforced.
vue-script2.js?4ec5:84

Uncaught (in promise) Error: https://cdnjs.cloudflare.com/ajax/libs/zxcvbn/4.3.0/zxcvbn.js(…)
s.onerror   @   vue-script2.js?4ec5:84

For testing you can generate valid SRI hash easily using this tool:

https://www.srihash.org/

And you can learn more about SRI here:

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
@taoeffect
Copy link
Owner

taoeffect commented Sep 12, 2016
edited

This is very weird. As you can see crossorigin should be being included...

BTW, it's nice to see someone using the integrity attribute. Bought damn time! (Especially for JS served by CloudFlare!)

Haven't much time right now to look deeply into this, but here, try adding a line near here along the lines of s.crossorigin = opts.crossorigin to set it using = instead of _.defaults2 and let me know if it works.

taoeffect added a commit that referenced this issue Sep 13, 2016
@taoeffect
Merge pull request #6 from grempe/master
8d4f9e3 
Fixes #5 crossorigin in HTML is crossOrigin in DOM
@grempe
Copy link
Contributor Author

grempe commented Sep 13, 2016

Seems to be doing the trick! Thanks for the quick release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grempe @taoeffect