Ember App won't load - resource integrity error in Chrome


#1

As of this morning, the Ember app I work on wasn’t loading in Chrome, in production (it works in Firefox). It was working fine yesterday, and we haven’t done a deploy in three days. I only tested it in Chrome/FF on Linux, not sure if things are different for other OS/browser combinations.

The issue appears to be an incompatibility with a recent update to Chrome. The error in the console was:

Failed to find a valid digest in the 'integrity' attribute for resource
'https://www.my-orientation.com/assets/vendor-3490848894f35dc09a765bd6d92c451d.js'
with computed SHA-256 integrity 'CEWiFoCoI5mT8LnEhhETXdTArxMyLvhThCtMTVrylUg='.
The resource has been blocked.

I posted about this in #needhelp on the Ember Slack community and @jonathanKingston provided the following short-term fix:

Change the line

    <script src="assets/vendor.js"></script>

to

    <script integrity="" src="assets/vendor.js"></script>

in your ember/app/index.html.

See https://github.com/jonathanKingston/ember-cli-sri/issues/5 for more info.


#2

Hey all,

So I published a patch ember-cli-sri@1.1.0 which solves this issue (however turns off a fair few safe builds too). You can turn all integrity checking back on by setting SRI.paranoidCheck = false in your ember-cli-build.js file.

The advantage to the patch however is that when the issue is resolved the check can be removed and more people will benefit from SRI without removing the security now.

I’m still looking further into what is causing this issue (it will either be Chrome or OpenSSL).

Let me know if further issues arise :smile:

Thanks


#3

Thanks for posting these workarounds folks. I was seeing the same issue when running ember test --server --launch chrome. Chrome (45.0.2454.85 (64-bit) on MacOS) refused to download the testem.js file with the same error.

Setting <script integrity="" src="testem.js"></script> in tests/index.html did the trick.