Comments (11)
Yeesh!!! The hash generated is browser dependent. If I generate on Firefox and display on Chrome, I get an error.
and vice-versa. If I display on the same version as generated, it works. Bad news!
from srihash.org.
Your hash output does not match the URL.
The actual hash384 output for https://fonts.googleapis.com/icon?family=Material+Icons
is sha384-r4ArzcycohCKpd5lRaMM1i3qmqqCo7BsUvmnhusfNZ5LXOGHyZR8j+TURxWIGUO/
from srihash.org.
I used this website: https://www.srihash.org/ Is this the wrong site?
I used this URL: https://fonts.googleapis.com/icon?family=Material+Icons
I selected 'SHA-384' from the pulldown to the right of the URL
I clicked on 'Hash!'
I copied the following output:
<link rel="stylesheet" href="https://fonts.googleapis.com/icon?family=Material+Icons" integrity="sha384-zfmep/8lfJ4cVW8HCW1SWfWf0ckqJhJDO5kJ2udXM/imt7aX9neyBDFFyuL1TT50" crossorigin="anonymous">
I got the following error:
Browser(s) (Chrome and Firefox) error
The hash in the 'integrity' attribute doesn't match the received payload.
What could I do differently on the site to get the hash that you came up with?
Even when I paste in your hash from above, I get the same error
from srihash.org.
I cannot reproduce your bug on my computer. Could you record your screen during the operation above please?
from srihash.org.
Hope this helps
from srihash.org.
Here is a description of the problem from someone else:
https://stackoverflow.com/questions/44043585/google-chrome-sri-hash
sounds like the hash is browser dependent. If I acquire the has on Firefox,
and display using Chrome, it doesn't work? I'll test...
Having to use a different hash depending on the browser would be unfortunate.
from srihash.org.
Well...Google Fonts seems to have some problems...
I think we could do nothing with this problem, since the hash value should change if the content of the file has changed.
from srihash.org.
One possible way is generating multiple hash value for different user agent as this comment. I will try this solution.
from srihash.org.
To summarize: Google Fonts is serving a different file depending on the browser being used. Naturally, srihash.org can only detect the resource that the current browser is seeing and can not ensure the server will always serve the same response.
I could imagine turning this issue into a work item detect about popular CDNs that serve browser-dependent payloads on srihash.org and emit a tiny warning/info box when people use it for e.g., google fonts. Would anyone of the folks in there be interested in figuring out and implementing such a feature?
from srihash.org.
I'm working on it.
from srihash.org.
#518 :)
from srihash.org.
Related Issues (20)
- Logo HOT 8
- Switch to GitHub Actions HOT 1
- secureHosts.json is tiny HOT 1
- Add dependabot HOT 9
- Add social related tags HOT 5
- Look into using nock for tests
- SSL certificate error on https://www.srihash.org HOT 3
- Generated Script Resource Invalid HOT 1
- How verify a SRI for a file HOT 4
- Copy button HOT 1
- Add (static) syntax highlighting to the snippet HOT 1
- Hash for <link> tag HOT 4
- at tag is not supported HOT 2
- Move from Travis-CI to GitHub Actions
- srihash is computing incorrect hashes HOT 8
- I want to Enhance the UI of this Site HOT 1
- Broken link to w3c-test.org
- Fix stylelint issues preventing the upgrade in #606 HOT 1
- Aa
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from srihash.org.