Comments (7)
mdecimus
commented on May 26, 2024
2
Done.
from trunk.
mdecimus
commented on May 26, 2024
1
However, so far I haven't seen an error on this
I also don't see any errors or warnings and most of our users don't have any issues at all. However, we received a bug report recently from a user using Firefox on Linux where the page does not load at all due to invalid characters in the integrity hash.
from the linked docs, I can't see that requirement
The grammar in the subresource integrity standard indicates:
base64-value = <base64-value production from [Content Security Policy Level 2, section 4.2]>Then you can follow the link to the Content Security Policy Level 2, section 4.2 where base64-value is defined as:
base64-value = 1*( ALPHA / DIGIT / "+" / "/" )*2( "=" )As you can see in the ABNF, both '_' and '-' are invalid characters.
from trunk.
ctron
commented on May 26, 2024
1
Should be released as 0.19.2. Thanks for the quick PR!
from trunk.
ctron
commented on May 26, 2024
Thanks for bringing this up. However, so far I haven't seen an error on this (which doesn't mean anything), but also from the linked docs, I can't see that requirement. I am sure I am missing something.
from trunk.
X-Ryl669
commented on May 26, 2024
There are 2 types of base64 encoding alphabet (the 64 characters used for the 64 base digits). The official alphabet (which is described in RFC4648), use, well the known alphanumeric range + / and +. This alphabet collides with special characters used in URL so another, alternate alphabet is described in the same RFC for an encoding called base64 url. In this base64URL alphabet, the digit / is replaced by _ and the digit + is replaced by -.
This encoding should be used exclusively in URL and not anywhere else.
The issue is that this repository use this alphabet to encode the SHA hash of the subresource integrity while it should be using the former, official alphabet. Browser respecting the subresource integrity specification thus can't decode the hash (since it's encoded with the bad alphabet) and will refuse to load the resource, leading to catastrophic issues (no CSS, no JS, no WASM module loaded).
The specification linked above is clear and explicitely specify to use the alphabet in section 4 of RFC 4648 and not those of section 5.
In the example digest above, instead of
integrity=sha384-0Zy966gMg2P2uZhUAv8IdixXEIejROvJyU28_fbsDk_3geMKyy84V0zSrHs2pN-H
It should have read:
integrity=sha384-0Zy966gMg2P2uZhUAv8IdixXEIejROvJyU28/fbsDk/3geMKyy84V0zSrHs2pN+H
to be correct.
It happens that Chrome actually fallback to base64URL decoding if it fails to decode base64 alphabet (it shouldn't). Firefox doesn't (as it should).
from trunk.
ctron
commented on May 26, 2024
Thanks, that makes it clear! If you can come up with a PR for main, I can backport it and push out a release.
from trunk.
mdecimus
commented on May 26, 2024
Thanks for the quick release! We'll test this today.
from trunk.
Related Issues (20)
- Document fragments being removed from template element in html. HOT 23
- Builds fine: blank render HOT 3
- Upgrade to v0.19.1 seems to initiate the download of a rogue `trunk` executable! HOT 3
- Minification of some javascript is breaking some functionality. HOT 4
- Bug when creating a build with --release --public-url HOT 3
- Progress bar support HOT 9
- Minification is breaking CSS HOT 2
- Explore the usage of manganis for assets HOT 10
- Minification removing wasmbindgen getters HOT 3
- Cloudflare: WebSocket connection to 'wss://{{trunk_address}}{{trunk_ws_base}}.well-known/trunk/ws' failed HOT 3
- Not able to build properly HOT 9
- Unable to build the latest (0.19.2) version HOT 6
- Changing minification defaults
- Handling absolute paths for webworker scripts HOT 1
- Re-thinking configuration HOT 12
- The initializer scripts should be preloaded before the wasm module HOT 2
- Trunk: command not found2024 HOT 3
- Outdated info about NixOS on webpage HOT 1
- Feature request: preload option for copy-file assets HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trunk.