angular-cli: Subresource integrity / filename hash inconsistency

Versions

Angular CLI: 1.6.3
Node: 9.3.0
OS: darwin x64
Angular: 5.2.0
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... platform-server, router

@angular/cli: 1.6.3
@angular-devkit/build-optimizer: 0.0.36
@angular-devkit/core: 0.0.22
@angular-devkit/schematics: 0.0.42
@ngtools/json-schema: 1.1.0
@ngtools/webpack: 1.9.3
@schematics/angular: 0.1.11
@schematics/schematics: 0.0.11
typescript: 2.5.3
webpack-bundle-analyzer: 2.9.2
webpack: 3.10.0

AND

Angular CLI: 1.6.4
Node: 9.3.0
OS: darwin x64
Angular: 5.2.0
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... platform-server, router

@angular/cli: 1.6.4
@angular-devkit/build-optimizer: 0.0.38
@angular-devkit/core: 0.0.25
@angular-devkit/schematics: 0.0.48
@ngtools/json-schema: 1.1.0
@ngtools/webpack: 1.9.4
@schematics/angular: 0.1.13
@schematics/schematics: 0.0.13
typescript: 2.5.3
webpack-bundle-analyzer: 2.9.2
webpack: 3.10.0

Repro steps

I don’t have a minimal reproduction, but here is a gist to two yarn lockfiles: https://gist.github.com/karptonite/925a56d957a34ff65063d52e619f7fcc

Observed behavior

when building with --prod --subresource-integrity: The subresource integrity SHA hash can change without the hashed filename changing as dependencies are updated.

In the two yarn lockfiles shown, nothing that is included in polyfills changed, and the hashed filename (--output-hashing all, since --prod is set) remains unchanged between builds. However, because some other dependencies were updated (notably, the uglify version changed), the integrity SHA hash changed. That is a problem because our js is served by a CDN, which assumes that if the filename remains unchanged, it can continue to serve from the cache.

Desired behavior

When anything that can affect the content of the minimized file changes, that should change the filename hash. This could be accomplished by naming the file based on the minimized code, but it could also be as simple as hashing in the version numbers of the relevant packages involved in minimizing the code when generating the filenames.

If you are unable to reproduce this, let me know, and I’ll see if I can figure out how to reproduce it. I got stuck (working in a minimal project) trying to force yarn to downgrade the version of uglify to match what is in my production yarn lock above.

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 9
Comments: 27 (4 by maintainers)

Commits related to this issue

fix(angular): disable subresource integrity See https://github.com/angular/angular-cli/issues/9338 for more information — committed to pascaliske/pascaliske.dev by deleted user 5 years ago

Most upvoted comments

can we get this fixed soon? I know it’s “inconvenient” and we can clear the cloudflare cache when it happens but… when doing daily deploys with about 100 different domains it’s getting past the point of “inconvenient” and more like a royal pain in the ass. o yeah then there is the whole issues of telling everyone to clear their cache because their browser is caching the files for a year.

+11

KLuuKer on Jun 14, 2018

Ahh I just saw the contenthash is already being used, I inferred it can’t be since the hashes were the same …

At least I’ll share data to reproduce below, maybe someone can see what I’m missing

index.html no caching *.js 7 days caching

cached runtime

!function(e){function r(r){for(var H,c,a=r[0],f=r[1],S=r[2],d=0,u=[];d<a.length;d++)t[c=a[d]]&&u.push(t[c][0]),t[c]=0;for(H in f)Object.prototype.hasOwnProperty.call(f,H)&&(e[H]=f[H]);for(i&&i(r);u.length;)u.shift()();return o.push.apply(o,S||[]),n()}function n(){for(var e,r=0;r<o.length;r++){for(var n=o[r],H=!0,c=1;c<n.length;c++)0!==t[n[c]]&&(H=!1);H&&(o.splice(r--,1),e=a(a.s=n[0]))}return e}var H={},t={4:0},o=[],c={0:"sha384-aayR7t8JlYVLi9WFgRUvUnLCKjvKw8vXfzkq+EIFqlCzGDkLYHisldg/P/5IwYlI",1:"sha384-MQVzu5lWMaH1uw3mNDiPV1kVD9bc/SYjQ4Va+kzFqJ0P4ko93rJrlG84ESFHzJh4",2:"sha384-s+9LokMi/iyW/YzeSqJZYZD2W+BpO/0074NW6K04k8dnBLREwcfD0j7g3b0T8pVW",3:"sha384-HVpBgcW4FphxT8m2FToqyp/jU+w6MRUOal7Mqlfa2bWBcaUf/fP8RhdN06JOoZee",5:"sha384-kzmiVfVJo70lvXQlvGDZEZUqpgKwBHlukYu0hCfZHSVAOn/AtYF/2qV+uhWr5CaN",6:"sha384-Wh6Pq5TE/hBlMq9y8J6PrE42JWnb6LH4oumrq/F6ob6nU6kXtGp6zBwWVkV7td65",7:"sha384-Q3/nWTaWs7+Xrvc8SpHUFhPeuH2JQlDDDvSOQTOrkRxlf4ehDwq1xtDFQ+KU3IC6",8:"sha384-jh+CRry1dxmvS6sU311vAfHlnsMmhscsQeBlkkTtxDCU0OO/rxfm9ogCZzMQIs4p",9:"sha384-CjTHfFi/Skf89p+iq3H6Rf5NJKEGpOvLFT/jFWXSWwbofNO+AtGPoj+/RS0MsQBQ",10:"sha384-yY6j9oMjgSIOuMFVz7IKkkZstzQAFSzuGTB4jBchblABBYwYXMmcIwKWyj5m10YD",11:"sha384-33S8xMGATzGCts9wqfF3oVfIzp+Ly7uz3TTUkD9HhQF0QpeY0dDwptPi2VkgLWVm",12:"sha384-j7AM4wPktT3QcYU/IQjU7WVUvr+FsGnrikrJPk03N9UAJ3HXxtBJkkfG4NS+hr9z",13:"sha384-XmtYX8znMwLP6Yyxbr/W5xx9pbUYQXMoSXXR0nUbhR6FPtxu4nJVTfrntphCz3DQ",14:"sha384-gOx9NtWSHQZnv4BWIYwE21PcA0WFcRA759ODfY8BtEujU/SFPtRQdYNuHE5UrcOW",15:"sha384-/YeLUiswuSDAmM8A6KLFuOLZv02tYVhTs5hi97xNXGcN6DDJRduMhXbPBAY6Q2+6",16:"sha384-z5w59blbp//3jbXjKwDdLtWpRHgv/PLGZaYGtATMib8lmIE3uJmQau/FEg4dGf3W",17:"sha384-35lvjg8x/9652CEYDXH3Ej43HSWVvH5sphMXDJ5GfQZsquWoCbpPz4uYRZ6qudgK",18:"sha384-fSsaRpIdCTs7KEUfaXiNFClt6jMtLLux+N/UPK+fUqtcg6zMtIMsVnbqBQIpMAxs",19:"sha384-Djh3mZh30PrkShZ8Pquz0hE0dw2uL8xkGmPgtaRZMOFW5Cv0xjAB9zPbjBCMphDZ",20:"sha384-Tw1ggSKQgq7djaTyt/u8w0u9IUh++t8wn8AQWE6wJDGILgKnj18gqC2uNS6K3RLO",21:"sha384-L66hQ4c3nzeO7927FLwBtlikfK7vCe0AGryQucBSgb5h/4ANPt6jld8EliqB8Mtz",22:"sha384-XKgxrymHr8CLH4eWMPpMgCoKteebyOIzFE7UIh+4DNO08inWIWFrzbJEvSqDFb4H",23:"sha384-EvMjTT/YGHaOnrP4FnXGYy+7K6pzDF0LozFn2H87IwVJG0D92r7F+1D/Fx4HLFmL",24:"sha384-eT7dkN4RJc1rs74+vH2MiptWcTx8IIGNDFoFq9BRzEVgAq0hAFhOhtWQJjSvypU1",25:"sha384-/R7uAlHnB9NPFMsh8hP0S6jJ/7vwBfrqFaR/CB/1UjGpTBB4An0srxXBkoexFMDa",26:"sha384-YfsmlN+NBI4KUtMw9rpvR9dLUylwNgXX6Ay7bTfRKsuUeaZjS8aZhQklNE0sbQQt",27:"sha384-2KGbGdsnvRAqQsMngRltJMzw7/+wrYwke3cDLJd9+hrj0q8QEhYllx3NchHg+JjM",28:"sha384-syR+Lok8ndnMmlh3aPbbh7QlBLKT6DEDR1DbGDKq1l6mTcCci5pC/Vp2rjK99eYM",29:"sha384-lebmdzvkaIYlDyD0bWvkUjpCCf01Wv4QcFw923eJt1lKIlUJnZSPSaNr5eyFzMEf",30:"sha384-ywExl4d0EPJWTLK09ZJBVhxopq2aftCYxU69HqiZTFQlzvqwMdk7ouQaf6toa1iM",31:"sha384-JahjUAiy2jr8hkliz+RAa5QpXNP6V88u0b0DBLMofFSopSb1bTllAzN7mIMR7u8v",32:"sha384-zK/oS3Fy+7Sc/yTVI6nzrZxtEo+D2YmWwQFrsPPFpVjNoSjfFoJKS625NIaTz6GT",33:"sha384-gtMDyU7oo6UNpVKSaBs18jCfrj62yPbqBLipLBw8q2c1I9qjETq7AVC9XbmNrUIZ",34:"sha384-c7e5NvztwLdBOqlzu6b+TdmN/MxvJEnWjJO8qjZAfSb2RWfSFvIzA9RVDdUcSgSc",35:"sha384-LPtIKkYHWMz9DuCldZMoM6fckK8SB+g89oRTmS7VWZSIKrrzJxWPRBCLSywwlZ2r",36:"sha384-JedFUrpAQFAjrO7PfFbYfrOLnrtp5rVzxhIHR3J+A4g8wQa58+jHCN2aBBESB7sw"};function a(r){if(H[r])return H[r].exports;var n=H[r]={i:r,l:!1,exports:{}};return e[r].call(n.exports,n,n.exports,a),n.l=!0,n.exports}a.e=function(e){var r=[],n=t[e];if(0!==n)if(n)r.push(n[2]);else{var H=new Promise(function(r,H){n=t[e]=[r,H]});r.push(n[2]=H);var o,f=document.createElement("script");f.charset="utf-8",f.timeout=120,a.nc&&f.setAttribute("nonce",a.nc),f.src=function(e){return a.p+""+({0:"common"}[e]||e)+"."+{0:"39ed0ced8453662e17ad",1:"774df27269c6495e5488",2:"077615ce03357384fb8e",3:"8a03b755bbaa38581f6e",5:"e53e2e41fba7c0ad7e0a",6:"93b337261ddec8cdb5e0",7:"de09cbcf67b239e0ed2f",8:"0b35341d4577a0dc210e",9:"739f41a2c84427b7ac18",10:"d0eeb130c50eb62b203b",11:"cd75b63f84dda66b06fc",12:"fe7e1dbc2f8d5cf38782",16:"740592699feda9530474",17:"6634b5441f9b49910b50",18:"facb49809663ac8f2cdd",19:"e930d182b8935cea7b8d",20:"7533d0794808ef9acddc",21:"ba47f6e9a8fb1c803066",22:"34c78d72abcc812f9c8d",23:"042daba33b98e9018c0d",24:"e24b1161425e52536205",25:"ee97dc53b271c0324cf1",26:"83a130c42b826619a430",27:"538fd2208aa2c460a943",28:"eee515deb8c1f41cd148",29:"eb344166eae9590fcd1b",30:"259de3d2b591038503af",31:"2fcbb89fe365db8342e1",32:"04aa60e7d170ece6dcaa",33:"0bf87971c27659c3f7aa",34:"2599c5595e536bf62c0f",35:"58fd25aba11313a666a4",36:"59b686444dd08c0abbe1"}[e]+".js"}(e),0!==f.src.indexOf(window.location.origin+"/")&&(f.crossOrigin="anonymous");var S=new Error;o=function(r){f.onerror=f.onload=null,clearTimeout(d);var n=t[e];if(0!==n){if(n){var H=r&&("load"===r.type?"missing":r.type),o=r&&r.target&&r.target.src;S.message="Loading chunk "+e+" failed.\n("+H+": "+o+")",S.name="ChunkLoadError",S.type=H,S.request=o,n[1](S)}t[e]=void 0}};var d=setTimeout(function(){o({type:"timeout",target:f})},12e4);f.onerror=f.onload=o,f.integrity=c[e],f.crossOrigin="anonymous",document.head.appendChild(f)}return Promise.all(r)},a.m=e,a.c=H,a.d=function(e,r,n){a.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:n})},a.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},a.t=function(e,r){if(1&r&&(e=a(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(a.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var H in e)a.d(n,H,(function(r){return e[r]}).bind(null,H));return n},a.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return a.d(r,"a",r),r},a.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},a.p="",a.oe=function(e){throw console.error(e),e};var f=window.webpackJsonp=window.webpackJsonp||[],S=f.push.bind(f);f.push=r,f=f.slice();for(var d=0;d<f.length;d++)r(f[d]);var i=S;n()}([]);
//# sourceMappingURL=runtime.6a8025c3ecb850393dc9.js.map

actual runtime

!function(e){function r(r){for(var H,c,a=r[0],f=r[1],S=r[2],d=0,u=[];d<a.length;d++)t[c=a[d]]&&u.push(t[c][0]),t[c]=0;for(H in f)Object.prototype.hasOwnProperty.call(f,H)&&(e[H]=f[H]);for(i&&i(r);u.length;)u.shift()();return o.push.apply(o,S||[]),n()}function n(){for(var e,r=0;r<o.length;r++){for(var n=o[r],H=!0,c=1;c<n.length;c++)0!==t[n[c]]&&(H=!1);H&&(o.splice(r--,1),e=a(a.s=n[0]))}return e}var H={},t={4:0},o=[],c={0:"sha384-aayR7t8JlYVLi9WFgRUvUnLCKjvKw8vXfzkq+EIFqlCzGDkLYHisldg/P/5IwYlI",1:"sha384-MQVzu5lWMaH1uw3mNDiPV1kVD9bc/SYjQ4Va+kzFqJ0P4ko93rJrlG84ESFHzJh4",2:"sha384-s+9LokMi/iyW/YzeSqJZYZD2W+BpO/0074NW6K04k8dnBLREwcfD0j7g3b0T8pVW",3:"sha384-HVpBgcW4FphxT8m2FToqyp/jU+w6MRUOal7Mqlfa2bWBcaUf/fP8RhdN06JOoZee",5:"sha384-kzmiVfVJo70lvXQlvGDZEZUqpgKwBHlukYu0hCfZHSVAOn/AtYF/2qV+uhWr5CaN",6:"sha384-Wh6Pq5TE/hBlMq9y8J6PrE42JWnb6LH4oumrq/F6ob6nU6kXtGp6zBwWVkV7td65",7:"sha384-Q3/nWTaWs7+Xrvc8SpHUFhPeuH2JQlDDDvSOQTOrkRxlf4ehDwq1xtDFQ+KU3IC6",8:"sha384-jh+CRry1dxmvS6sU311vAfHlnsMmhscsQeBlkkTtxDCU0OO/rxfm9ogCZzMQIs4p",9:"sha384-CjTHfFi/Skf89p+iq3H6Rf5NJKEGpOvLFT/jFWXSWwbofNO+AtGPoj+/RS0MsQBQ",10:"sha384-yY6j9oMjgSIOuMFVz7IKkkZstzQAFSzuGTB4jBchblABBYwYXMmcIwKWyj5m10YD",11:"sha384-33S8xMGATzGCts9wqfF3oVfIzp+Ly7uz3TTUkD9HhQF0QpeY0dDwptPi2VkgLWVm",12:"sha384-j7AM4wPktT3QcYU/IQjU7WVUvr+FsGnrikrJPk03N9UAJ3HXxtBJkkfG4NS+hr9z",13:"sha384-IAj4ed/3ci5j2WNXKebZrDt/upGZ2AEnlxT7UXJN9kCGmRHWL11xHr3snaFsROCs",14:"sha384-gOx9NtWSHQZnv4BWIYwE21PcA0WFcRA759ODfY8BtEujU/SFPtRQdYNuHE5UrcOW",15:"sha384-/YeLUiswuSDAmM8A6KLFuOLZv02tYVhTs5hi97xNXGcN6DDJRduMhXbPBAY6Q2+6",16:"sha384-z5w59blbp//3jbXjKwDdLtWpRHgv/PLGZaYGtATMib8lmIE3uJmQau/FEg4dGf3W",17:"sha384-35lvjg8x/9652CEYDXH3Ej43HSWVvH5sphMXDJ5GfQZsquWoCbpPz4uYRZ6qudgK",18:"sha384-fSsaRpIdCTs7KEUfaXiNFClt6jMtLLux+N/UPK+fUqtcg6zMtIMsVnbqBQIpMAxs",19:"sha384-Djh3mZh30PrkShZ8Pquz0hE0dw2uL8xkGmPgtaRZMOFW5Cv0xjAB9zPbjBCMphDZ",20:"sha384-Tw1ggSKQgq7djaTyt/u8w0u9IUh++t8wn8AQWE6wJDGILgKnj18gqC2uNS6K3RLO",21:"sha384-L66hQ4c3nzeO7927FLwBtlikfK7vCe0AGryQucBSgb5h/4ANPt6jld8EliqB8Mtz",22:"sha384-XKgxrymHr8CLH4eWMPpMgCoKteebyOIzFE7UIh+4DNO08inWIWFrzbJEvSqDFb4H",23:"sha384-EvMjTT/YGHaOnrP4FnXGYy+7K6pzDF0LozFn2H87IwVJG0D92r7F+1D/Fx4HLFmL",24:"sha384-eT7dkN4RJc1rs74+vH2MiptWcTx8IIGNDFoFq9BRzEVgAq0hAFhOhtWQJjSvypU1",25:"sha384-/R7uAlHnB9NPFMsh8hP0S6jJ/7vwBfrqFaR/CB/1UjGpTBB4An0srxXBkoexFMDa",26:"sha384-YfsmlN+NBI4KUtMw9rpvR9dLUylwNgXX6Ay7bTfRKsuUeaZjS8aZhQklNE0sbQQt",27:"sha384-2KGbGdsnvRAqQsMngRltJMzw7/+wrYwke3cDLJd9+hrj0q8QEhYllx3NchHg+JjM",28:"sha384-syR+Lok8ndnMmlh3aPbbh7QlBLKT6DEDR1DbGDKq1l6mTcCci5pC/Vp2rjK99eYM",29:"sha384-lebmdzvkaIYlDyD0bWvkUjpCCf01Wv4QcFw923eJt1lKIlUJnZSPSaNr5eyFzMEf",30:"sha384-ywExl4d0EPJWTLK09ZJBVhxopq2aftCYxU69HqiZTFQlzvqwMdk7ouQaf6toa1iM",31:"sha384-JahjUAiy2jr8hkliz+RAa5QpXNP6V88u0b0DBLMofFSopSb1bTllAzN7mIMR7u8v",32:"sha384-zK/oS3Fy+7Sc/yTVI6nzrZxtEo+D2YmWwQFrsPPFpVjNoSjfFoJKS625NIaTz6GT",33:"sha384-gtMDyU7oo6UNpVKSaBs18jCfrj62yPbqBLipLBw8q2c1I9qjETq7AVC9XbmNrUIZ",34:"sha384-c7e5NvztwLdBOqlzu6b+TdmN/MxvJEnWjJO8qjZAfSb2RWfSFvIzA9RVDdUcSgSc",35:"sha384-LPtIKkYHWMz9DuCldZMoM6fckK8SB+g89oRTmS7VWZSIKrrzJxWPRBCLSywwlZ2r",36:"sha384-JedFUrpAQFAjrO7PfFbYfrOLnrtp5rVzxhIHR3J+A4g8wQa58+jHCN2aBBESB7sw"};function a(r){if(H[r])return H[r].exports;var n=H[r]={i:r,l:!1,exports:{}};return e[r].call(n.exports,n,n.exports,a),n.l=!0,n.exports}a.e=function(e){var r=[],n=t[e];if(0!==n)if(n)r.push(n[2]);else{var H=new Promise(function(r,H){n=t[e]=[r,H]});r.push(n[2]=H);var o,f=document.createElement("script");f.charset="utf-8",f.timeout=120,a.nc&&f.setAttribute("nonce",a.nc),f.src=function(e){return a.p+""+({0:"common"}[e]||e)+"."+{0:"39ed0ced8453662e17ad",1:"774df27269c6495e5488",2:"077615ce03357384fb8e",3:"8a03b755bbaa38581f6e",5:"e53e2e41fba7c0ad7e0a",6:"93b337261ddec8cdb5e0",7:"de09cbcf67b239e0ed2f",8:"0b35341d4577a0dc210e",9:"739f41a2c84427b7ac18",10:"d0eeb130c50eb62b203b",11:"cd75b63f84dda66b06fc",12:"fe7e1dbc2f8d5cf38782",16:"740592699feda9530474",17:"6634b5441f9b49910b50",18:"facb49809663ac8f2cdd",19:"e930d182b8935cea7b8d",20:"7533d0794808ef9acddc",21:"ba47f6e9a8fb1c803066",22:"34c78d72abcc812f9c8d",23:"042daba33b98e9018c0d",24:"e24b1161425e52536205",25:"ee97dc53b271c0324cf1",26:"83a130c42b826619a430",27:"538fd2208aa2c460a943",28:"eee515deb8c1f41cd148",29:"eb344166eae9590fcd1b",30:"259de3d2b591038503af",31:"2fcbb89fe365db8342e1",32:"04aa60e7d170ece6dcaa",33:"0bf87971c27659c3f7aa",34:"2599c5595e536bf62c0f",35:"58fd25aba11313a666a4",36:"59b686444dd08c0abbe1"}[e]+".js"}(e),0!==f.src.indexOf(window.location.origin+"/")&&(f.crossOrigin="anonymous");var S=new Error;o=function(r){f.onerror=f.onload=null,clearTimeout(d);var n=t[e];if(0!==n){if(n){var H=r&&("load"===r.type?"missing":r.type),o=r&&r.target&&r.target.src;S.message="Loading chunk "+e+" failed.\n("+H+": "+o+")",S.name="ChunkLoadError",S.type=H,S.request=o,n[1](S)}t[e]=void 0}};var d=setTimeout(function(){o({type:"timeout",target:f})},12e4);f.onerror=f.onload=o,f.integrity=c[e],f.crossOrigin="anonymous",document.head.appendChild(f)}return Promise.all(r)},a.m=e,a.c=H,a.d=function(e,r,n){a.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:n})},a.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},a.t=function(e,r){if(1&r&&(e=a(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(a.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var H in e)a.d(n,H,(function(r){return e[r]}).bind(null,H));return n},a.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return a.d(r,"a",r),r},a.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},a.p="",a.oe=function(e){throw console.error(e),e};var f=window.webpackJsonp=window.webpackJsonp||[],S=f.push.bind(f);f.push=r,f=f.slice();for(var d=0;d<f.length;d++)r(f[d]);var i=S;n()}([]);
//# sourceMappingURL=runtime.6a8025c3ecb850393dc9.js.map

in actual index.html

<script src="runtime.6a8025c3ecb850393dc9.js" crossorigin="anonymous" type="module" integrity="sha384-EYIyRKwNC5wgFq/oLdA8qSgJIsG+IdpnW8GNIN9y+RIyxx031LMQT84jqX84oicp"></script>

sha384 sums: cached: VDinAQO6iY5043Owfl98myR/zDHxFa9Q0jmbWqE1YxjijsC49QdU2tDIw0775Biw base64: actual: gyhzYjNbRNkm0kVr49UbYE+nlkhh8oeH2mMogqSClQCO/fgki/miELyW/YJhdIri

for some reason, they both don’t match the integrity hash from the index.html

Chrome 76 output:

(index):1 Failed to find a valid digest in the 'integrity' attribute for resource 'REDACTED/runtime.6a8025c3ecb850393dc9.js' with computed SHA-256 integrity 'Jm7DCdAQtJq/0IZuDjLerUcS6Mvbqxr8sLcPACeO+dw='. The resource has been blocked.

eseliger on Aug 29, 2019

Can we please please fix this subresource-integrity is now useless and actually prevents the code from working correctly because the hash doesn’t match

We have a very aggressive 1 year caching policy and now I’m fixing this at the crack of dawn since we have about 20+ people not being able to use our app

KLuuKer on Jun 12, 2019

I’ve had similar issues and am currently trying a postbuild script in my package.json to update the runtime file in the html. A bit of a hack, but it may solve the problem.

const path = require('path');
const fs = require('fs');

const cheerio = require('cheerio');
const ssri = require('ssri');

const baseDir = 'dist/newu-app';

const htmlSource = path.join(baseDir, 'index.html');
const markup = fs.readFileSync(htmlSource).toString();
const $ = cheerio.load(markup);

$('script').each((index, element) => {
    const src = $(element).attr('src');
    if (src.startsWith('runtime.')) {
        const filename = path.join(baseDir, src);
        const data = fs.readFileSync(filename);
        const md5 = ssri.fromData(data, {algorithms: ['md5']}).hexDigest();
        const integrity = ssri.stringify(ssri.fromData(data, {algorithms: ['sha384']}));
        const newSrc = 'runtime.' + md5 + '.js';
        const newFilename = path.join(baseDir, newSrc);
        $(element).attr('src', newSrc);
        $(element).attr('integrity', integrity);
        fs.copyFileSync(filename, newFilename);
    }
});

const html = $.html();
fs.writeFileSync(htmlSource, html);

It seems to work for me and may help others

nrandell on Nov 10, 2018

This issue is related to bug in webpack-subresource-integrity plugin, that was fixed in version 1.3.2: https://github.com/waysact/webpack-subresource-integrity/issues/101

Therefore I guess raising the version of webpack-subresource-integrity to 1.3.2 should help (it worked for me locally with npm-shrinkwrap)

matdryz on May 23, 2019

I’m using angular cli 7.0.5 and it has pulled in webpack 4.19.1

nrandell on Nov 13, 2018

We are being hit by this bug too.

Consider that the runtime.js file may be in the end user’s browser cache so that purging the CDN cache doesn’t help.

JohanLindvall on Nov 13, 2018