SRI Integrity check for scripts fails when behind Cloudflare Proxy

I am distributing an Open Source application that runs a web server. Some of the documents served by this application include scripts that use a SRI integrity attribute. This usually works as expected.

However it seems that this stops working when users put their application behind a Cloudflare proxy.

The document served looks like

<!DOCTYPE html><html><head>
<title>Offen vault</title>
<meta charset="utf-8">
</head>
<body>
<div id="host"></div>
<script src="./vendor-cdc94dde8f.js" integrity="sha384-a0MdZwqOjDjC+xI3/t9a/4G50xx7he8SS7P6KCK/zqrWVRFEV0h0IArjSe/qQcts" crossorigin="anonymous"></script>
<script src="./index-405319a057.js" integrity="sha384-kZ76R2bZkYOhXotKNPhTD7qhCBdA6Q6EIeMmFFbCGp1CPLOLamc+Zgk5Yr7vwfp6" crossorigin="anonymous"></script>
</body></html>

which (when put behind Cloudflare) fails with:

Failed to find a valid digest in the 'integrity' attribute for resource 'https://example.com/vault/vendor-cdc94dde8f.js' with computed SHA-256 integrity '7h+DJVtMpNr1FVMcCV2spIwSjnKvTKLBR8VCunEO6IE='. The resource has been blocked.

Failed to find a valid digest in the 'integrity' attribute for resource 'https://example.com/vault/index-405319a057.js' with computed SHA-256 integrity 'EUQKQfu5yNZ7NP1VpXeomJrtWqIK1E3GMHeGFRUcC+s='. The resource has been blocked.

Strange things I do not understand here are:

  • this fails on Mac and Windows, but it works on Linux (cross browser)
  • the error message mentions SHA-256 when the SRI specifies sha384
  • the hashes mentioned in the error message do not match the integrity attribute on the scripts

When users disable the Cloudflare proxy, these installs work as expected.

Does Cloudflare somehow interact with such script resources in a way that it could make the SRI check fail? Is there an obvious mistake in my approach?

Having Rocket Loader enabled? If yes, try disabling it.

Moreover, check and try disabling CSS and JS Minify at Cloudflare dashboard.

Are you using Ember or any other (Blazor wasm, GoHugo …)?

Do you use some kind of a service worker which does “caching” for Web browser?

1 Like

Having Rocket Loader enabled? If yes, try disabling it.
Moreover, check and try disabling CSS and JS Minify at Cloudflare dashboard.

As this is not my deployment I do not know. I will relay these hints to the user.

Are you using Ember or any other (Blazor wasm, GoHugo …)?

Nothing fancy, no. It’s a bundled script, no framework,

Do you use some kind of a service worker which does “caching” for Web browser?

No

Hi, the deployment was mine

Having Rocket Loader enabled? If yes, try disabling it.

Rocket Loader was disabled

Moreover, check and try disabling CSS and JS Minify at Cloudflare dashboard.

I did have CSS and JS minify active

Update 1: I have disabled CSS and JS minify and I still get the same error:

None of the “sha384” hashes in the integrity attribute match the content of the subresource.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.