Failed to find a valid digest in the 'integrity' attribute for resource on a deployed emberjs application

Question

I have an emberjs application which has been deployed and in google chrome browser im getting the following errors for 2 of the .js files.

Failed to find a valid digest in the 'integrity' attribute for resource 'http://staging.org.com/assets/vendor-0ada2c9fb4d3e07ad2f0c6a990945270.js' with computed SHA-256 integrity 'Sb4Xc/Oub27QW0MKlqK0sbq0Mm476jU7MgJaCzd/gKk='. The resource has been blocked

When i inspect the file i can see script tags for the two .js files in question. I'm not 100% sure how this integrity check works. You can see the integrity attribute below with the sha's.

<script src="/assets/vendor-0ada2c9fb4d3e07ad2f0c6a990945270.js" integrity="sha256-s3XY9h9v9IThygF6UkWRvWZsf7zeTqYJ1rLfDgg1bS0= sha512-k3lfqdeZw3OcsECfD3t99Hidh6IoRlFSoIu5nJk0FkLYHwx0q/rddirj4jh4J73dmLwKfG9mx0U5Zf6ZzRBsvA==" ></script>
<script src="/assets/g-web-56670cf0485cf52f54589091e2a25cc8.js" integrity="sha256-jNmWqO61OPijscQ5cHVSbB1Ms5wKX78ZACYdhrUo3X4= sha512-oiksgRFsqgHaCvXPvd3SAsUuX4zPeVClQBIgrOgIKNBMa3hPqCHknoFqDGRtSyfN4EdIkfk/x1zSqBqRvONAGQ==" ></script>

The emberjs application is built using a docker image, deployed to kubernetes and an aws elb running haproxy is handling the routing for this application such that when i navigate to staging.x.com it routes to the internal dns in kubernetes of this service (emberjs web app).

What's interesting to note;

1. Running ember serve locally works and the applications loads fine.
2. Building and running the docker image locally works and the applications loads fine.

The issue is only occurring on my deployed staging environment.

Answer 1

I got this error when deploying a Blazor WebAssembly app.

Failed to find a valid digest in the 'integrity' attribute for resource

And then it showed several NuGets. Manually deleted all bin and obj folders in the solution and then redeployed. After this everything worked.

https://github.com/dotnet/aspnetcore/issues/28692#issuecomment-783333400

Answer 2

Ember uses Subresource Integrity (SRI) by default to increase the security of applications built with the framework.

The Mozilla Development Network has a good explanation of SRI:

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.

The hash described there is generated and injected into the index.html at build time of the Ember application. If any part of your stack (deployment, web server, proxy etc.) modifies the file, the hash in index.html won't match the hash of th served file anymore. The Browser will therefore block the execution of that asset and throw the error you mentioned in your question instead.

The documentation of ember-cli-sri, which provides the integration in Ember build pipeline warns about that one:

In code that uses SRI, you MUST NOT tamper with the built output JavaScript files as code will not load.