Google Fonts sends different responses depending on browser. Using srihash.org will only provide one of many required hashes. about srihash.org HOT 11 CLOSED

Yeesh!!! The hash generated is browser dependent. If I generate on Firefox and display on Chrome, I get an error.
and vice-versa. If I display on the same version as generated, it works. Bad news!

from srihash.org.

Your hash output does not match the URL.
The actual hash384 output for https://fonts.googleapis.com/icon?family=Material+Icons is sha384-r4ArzcycohCKpd5lRaMM1i3qmqqCo7BsUvmnhusfNZ5LXOGHyZR8j+TURxWIGUO/

from srihash.org.

I used this website: https://www.srihash.org/ Is this the wrong site?
I used this URL: https://fonts.googleapis.com/icon?family=Material+Icons
I selected 'SHA-384' from the pulldown to the right of the URL
I clicked on 'Hash!'
I copied the following output:
<link rel="stylesheet" href="https://fonts.googleapis.com/icon?family=Material+Icons" integrity="sha384-zfmep/8lfJ4cVW8HCW1SWfWf0ckqJhJDO5kJ2udXM/imt7aX9neyBDFFyuL1TT50" crossorigin="anonymous">
I got the following error:
Browser(s) (Chrome and Firefox) error
The hash in the 'integrity' attribute doesn't match the received payload.
What could I do differently on the site to get the hash that you came up with?
Even when I paste in your hash from above, I get the same error

from srihash.org.

I cannot reproduce your bug on my computer. Could you record your screen during the operation above please?

from srihash.org.

Browser Version:

Hope this helps

from srihash.org.

Here is a description of the problem from someone else:
https://stackoverflow.com/questions/44043585/google-chrome-sri-hash
sounds like the hash is browser dependent. If I acquire the has on Firefox,
and display using Chrome, it doesn't work? I'll test...
Having to use a different hash depending on the browser would be unfortunate.

from srihash.org.

Well...Google Fonts seems to have some problems...
I think we could do nothing with this problem, since the hash value should change if the content of the file has changed.

from srihash.org.

One possible way is generating multiple hash value for different user agent as this comment. I will try this solution.

from srihash.org.

To summarize: Google Fonts is serving a different file depending on the browser being used. Naturally, srihash.org can only detect the resource that the current browser is seeing and can not ensure the server will always serve the same response.

I could imagine turning this issue into a work item detect about popular CDNs that serve browser-dependent payloads on srihash.org and emit a tiny warning/info box when people use it for e.g., google fonts. Would anyone of the folks in there be interested in figuring out and implementing such a feature?

from srihash.org.

I'm working on it.

from srihash.org.

#518 :)

from srihash.org.