5

A client would like to use SRI on all CSS and JS assets on their website, but they ran into a very strange issue with Firefox. Their server is an apache2 instance, serving HTML content. CORS is enabled for the whole virtual host, for any (*) origin. There is no cache or CDN in place.

The two files in question are

  • company.min.css and
  • company.min.js

To generate the SRI hashes, initially SRI Hash Generator was used. The output from this has multiple algorithms and looks like this:

<script src="https://example.com/static/company.min.js" integrity="sha256-aKuSpMxn15zqbFa0u0FVA7mAFOSVwIwU4gA3U7AZf5Y= sha384-WDAg+qGBjbEyE52SdQ5UHdTObTY+jYTL63m9Oy2IJcGZR8AFn0t9JNN7qdut6DBk sha512-bxmUFj1FVOVV74+zIYau/HSUcLq9cuneBKoMJyW9dAz//yKFi8eRhyyIezF++2vbGO7cR6Pzm1l9rvnPcrvIrg==" crossorigin="anonymous"></script>

similar for the CSS file. These were inserted in the HTML and the site was tested in a few different browsers, with these result:

  • works in Chrome (/Canary), Opera, Edge and even IE
  • doesn't work in Firefox (/Nightly).

Firefox only dislikes the CSS, saying that the SHA512 does not match the resource. It processes the JS file fine for whatever reason.

I confirmed (using OpenSSL) that the hash generated by the above tools is indeed correct, and the fact that it works in almost every browser except Firefox got me thinking.

So I tried to hash the resources using Mozilla's own SRI tool, srihash.org, which is a recommendation by Mozilla from their blog post on SRI.

Now it get's a bit weird.

  • For the CSS file, srihash.org generates a completely different hash.
  • For the JS file, the hash is the same for both generators and match my offline hashing with OpenSSL.

But, if I replace the CSS link with the Mozilla-generated one, this is the result:

  • works in Firefox
  • doesn't work anywhere else, since the hash mismatches

Question

I suspect this is some problem within Firefox' SRI implementation. The relevant discussion for the implementation is here, but it doesn't give any reasons why the resource is different in Firefox. But I'm not strictly a web developer, so are there any likely (documented) reasons for different SRI hashes in different browsers?

I can't disclose the exact server/resources. This is a general question, so if you have any objective experience or references to authorized sources documenting differences in the SRI implementation, please answer.

turbo
  • 1,233
  • 14
  • 36
  • I will add to the CC list in that bug, it's really interesting why mozilla have done this task different than other browsers. I think it's because some kind of freedom behavioured, as usual, but it's better a consense. Good luck! – Marcos Pérez Gude May 11 '16 at 07:40
  • Can it be connected to encoding or mime-type of your css? May be firefox interprets your css in different way than other browsers do and that's why it has another hash? – porfirion May 11 '16 at 21:19
  • This sounds like a bug in Firefox. You should consider taking time to [report this as a bug in the Mozilla bugzilla](http://stackoverflow.com/questions/33059442/how-as-a-programmer-to-report-bugs-i-find-in-core-gecko-browser-engine-behavio/33059443#33059443). Use https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=DOM%3A%20Security&format=__default__ to get to the right component. – sideshowbarker May 22 '16 at 07:55
  • @sideshowbarker It already is reported and is being worked on. – turbo May 22 '16 at 09:30
  • @mınxomaτ URL for the bug? – sideshowbarker May 22 '16 at 09:45
  • @sideshowbarker [1271796](https://bugzilla.mozilla.org/show_bug.cgi?id=1271796); depends on [1269241](https://bugzilla.mozilla.org/show_bug.cgi?id=1269241). – turbo May 22 '16 at 10:08

0 Answers0