cypress: Cypress cannot test sites that implement SRI

Current behavior:

When running Cypress against a site that implements SRI hashes, resources on the page are immediately blocked by Chrome and the page will not load due to invalid hashes. Disabling chromeWebSecurity does nothing. The following error appears in the Chrome DevTools console.

Failed to find a valid digest in the 'integrity' attribute for resource 'https://{my-domain}/assets/vendor-cdn-c9965fdc08cb8e112642197db5d0fc54.js' with computed SHA-256 integrity '2/Ht5YqBxaylA4fn2318LzUh4tFwjZH4WlN0lsHme9M='. The resource has been blocked.

Desired behavior:

The page of an SRI enabled site can load and not be blocked by Chrome. Either Cypress dynamically corrects the hash when it tampers with the file, or the chromeWebSecurity option actually disables SRI checks in Chrome.

Steps to reproduce:

Start a Cypress instance and configure to point to a site that implements SRI checking (e.g. https://github.com).
Implement a basic step that verifies anything on the page.
Observe the test fail, the error message in the Chrome DevTools console and resources being unable to load.

Versions

Cypress 3.1.0 Fedora 28 Chrome 68.0.3440.106

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 10
Comments: 15 (7 by maintainers)

Commits related to this issue

Fix login reCaptcha score generation Workaround for: https://github.com/cypress-io/cypress/issues/2393 Ignores "Failed to find a valid digest in the 'integrity' attribute for resource" error when te... — committed to GavrilenkoGeorgi/artviva-frontend by GavrilenkoGeorgi 4 years ago

Most upvoted comments

I ran into this issue, seemingly out of the blue. I added the following to a script a the top of the document, and it seems to work:

if (window.Cypress) {
const MutationObserver = window.MutationObserver || window.WebKitMutationObserver;
if (MutationObserver) {
  new MutationObserver(function(mutations) {
    mutations.forEach(function(mutation) {
      mutation.addedNodes.forEach(processNode);
    });
  }).observe(document, { childList: true, subtree: true });
}

const processNode = function(node) {
  const tagName = (node.tagName || '').toLowerCase();
  if (
    tagName === 'script'
    && node.integrity
  ) {
    node.onerror = function(e) {
	const fb = document.createElement(tagName);
	const parent = node.parentNode;
	if (node.src) fb.setAttribute('src', node.getAttribute('src'));
	parent.appendChild(fb);
	node.remove();
    };
  }
};
}

rgoldfinger-quizlet on Feb 20, 2019

This is something that we will fix when #1467 is implemented.

There is a WIP PR for this: #5273

flotwig on Nov 18, 2019

This fix is available starting in 4.6.0 as an experiment which you can access by setting this config option in your cypress.json or elsewhere:

{
	"experimentalSourceRewriting": true
}

The fix is experimental, so there may be some situations where the this is not fixed.

If you’re still this issue while setting the experimentalSourceRewriting to true in 4.6.0 - open a new issue with a reproducible example + screenshots, etc - filling out our issue template.

flotwig on May 21, 2020

Confirmed, we have the same problem.

KittyGiraudel on Aug 27, 2018

The code for this is done in cypress-io/cypress#5273, but has yet to be released. We’ll update this issue and reference the changelog when it’s released.

cypress-bot[bot] on May 11, 2020

Just added this in #5273. Once released, SRI integrity attributes in script tags <script type="text/javascript"> will be rewritten to cypress:stripped-integrity attributes.

<script type="text/javascript" integrity="foo">

becomes the below which will cause integrity checking to be skipped.

<script type="text/javascript" cypress:stripped-integrity="foo">

flotwig on Apr 14, 2020