I am distributing an Open Source application that runs a web server. Some of the documents served by this application include scripts that use a SRI integrity attribute. This usually works as expected.
However it seems that this stops working when users put their application behind a Cloudflare proxy.
The document served looks like
<!DOCTYPE html><html><head>
<title>Offen vault</title>
<meta charset="utf-8">
</head>
<body>
<div id="host"></div>
<script src="./vendor-cdc94dde8f.js" integrity="sha384-a0MdZwqOjDjC+xI3/t9a/4G50xx7he8SS7P6KCK/zqrWVRFEV0h0IArjSe/qQcts" crossorigin="anonymous"></script>
<script src="./index-405319a057.js" integrity="sha384-kZ76R2bZkYOhXotKNPhTD7qhCBdA6Q6EIeMmFFbCGp1CPLOLamc+Zgk5Yr7vwfp6" crossorigin="anonymous"></script>
</body></html>
which (when put behind Cloudflare) fails with:
Failed to find a valid digest in the 'integrity' attribute for resource 'https://example.com/vault/vendor-cdc94dde8f.js' with computed SHA-256 integrity '7h+DJVtMpNr1FVMcCV2spIwSjnKvTKLBR8VCunEO6IE='. The resource has been blocked.
Failed to find a valid digest in the 'integrity' attribute for resource 'https://example.com/vault/index-405319a057.js' with computed SHA-256 integrity 'EUQKQfu5yNZ7NP1VpXeomJrtWqIK1E3GMHeGFRUcC+s='. The resource has been blocked.
Strange things I do not understand here are:
- this fails on Mac and Windows, but it works on Linux (cross browser)
- the error message mentions SHA-256 when the SRI specifies sha384
- the hashes mentioned in the error message do not match the
integrityattribute on the scripts
When users disable the Cloudflare proxy, these installs work as expected.
Does Cloudflare somehow interact with such script resources in a way that it could make the SRI check fail? Is there an obvious mistake in my approach?