SRI hash generated by sprockets doesn't work in Google Chrome 45 - 46 and Firefox 43 - 51

[andreas-venturini]

Expected behavior

SRI hash should work in all versions of Google Chrome & Firefox that support SRI (see https://caniuse.com/#feat=subresource-integrity).

Actual behavior

• The SRI hash only works as expected in Google Chrome >= 47 and Firefox >= 52.
• In Firefox versions 43 - 51 assets w/ SRI hash are not loaded and the following error message is displayed in the browser console: None of the “sha256” hashes in the integrity attribute match the content of the subresource
• In Google Chrome versions 45 - 46 assets w/ SRI hash are not loaded and the following error message is displayed in the browser console: Failed to find a valid digest in the 'integrity' attribute for resource application-ASSET_HASH.css with computed SHA-256 integrity SRI_HASH'. The resource has been blocked.

I downloaded the asset and calculated the sha-256 hash locally by runnning the following command:

cat application-ASSET_HASH.css | openssl dgst -sha256 -binary | openssl base64 -A

The result matches the hash computed by sprockets.

I looked at the changelog of Firefox 52 (https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/52) and Google Chrome 47 but couldn't find any indications of bug fixes related to the SRI implementation.

System configuration

• Sprockets version: 3.7.2
• Ruby version: 2.6.6p146

[andreas-venturini]

I looked at the Mozilla bug-tracker again and found this https://bugzilla.mozilla.org/show_bug.cgi?id=1271796

It seems to describe exactly what I'm reporting above (wrong SRI hash calculated for the css asset) - and was resolved in Firefox 52 which also matches my observations.

I'm assuming there was a similar problem in Chrome 45-46.

Therefore closing.