I have an emberjs application which has been deployed and in google chrome browser im getting the following errors for 2 of the .js files.
Failed to find a valid digest in the 'integrity' attribute for resource 'http://staging.org.com/assets/vendor-0ada2c9fb4d3e07ad2f0c6a990945270.js' with computed SHA-256 integrity 'Sb4Xc/Oub27QW0MKlqK0sbq0Mm476jU7MgJaCzd/gKk='. The resource has been blocked
When i inspect the file i can see script tags for the two .js files in question. I'm not 100% sure how this integrity check works. You can see the integrity attribute below with the sha's.
<script src="/assets/vendor-0ada2c9fb4d3e07ad2f0c6a990945270.js" integrity="sha256-s3XY9h9v9IThygF6UkWRvWZsf7zeTqYJ1rLfDgg1bS0= sha512-k3lfqdeZw3OcsECfD3t99Hidh6IoRlFSoIu5nJk0FkLYHwx0q/rddirj4jh4J73dmLwKfG9mx0U5Zf6ZzRBsvA==" ></script>
<script src="/assets/g-web-56670cf0485cf52f54589091e2a25cc8.js" integrity="sha256-jNmWqO61OPijscQ5cHVSbB1Ms5wKX78ZACYdhrUo3X4= sha512-oiksgRFsqgHaCvXPvd3SAsUuX4zPeVClQBIgrOgIKNBMa3hPqCHknoFqDGRtSyfN4EdIkfk/x1zSqBqRvONAGQ==" ></script>
The emberjs application is built using a docker image, deployed to kubernetes and an aws elb running haproxy is handling the routing for this application such that when i navigate to staging.x.com
it routes to the internal dns in kubernetes of this service (emberjs web app).
What's interesting to note;
ember serve
locally works and the applications loads fine.The issue is only occurring on my deployed staging environment.
The integrity attribute allows a browser to check the fetched script to ensure that the code is never loaded if the source has been manipulated. Subresource Integrity (SRI) is a W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been altered.
I got this error when deploying a Blazor WebAssembly app.
Failed to find a valid digest in the 'integrity' attribute for resource
And then it showed several NuGets. Manually deleted all bin
and obj
folders in the solution and then redeployed. After this everything worked.
https://github.com/dotnet/aspnetcore/issues/28692#issuecomment-783333400
Ember uses Subresource Integrity (SRI) by default to increase the security of applications built with the framework.
The Mozilla Development Network has a good explanation of SRI:
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
The hash described there is generated and injected into the index.html
at build time of the Ember application. If any part of your stack (deployment, web server, proxy etc.) modifies the file, the hash in index.html
won't match the hash of th served file anymore. The Browser will therefore block the execution of that asset and throw the error you mentioned in your question instead.
The documentation of ember-cli-sri, which provides the integration in Ember build pipeline warns about that one:
In code that uses SRI, you MUST NOT tamper with the built output JavaScript files as code will not load.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With