script integrity check fails from cloudflare CDN

Fixed Issue #15111126

Details

Author
Dave C.
Created
Dec 15, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
16.16299
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Create an html page including a CDN script tag from cloudflare, eg we at using:
<link href="//cdnjs.cloudflare.com/ajax/libs/bootstrap-datepicker/1.7.1/css/bootstrap-datepicker3.min.css" rel="stylesheet" integrity="sha256-WgFzD1SACMRatATw58Fxd2xjHxwTdOqB48W5h+ZGLHA=" crossorigin="anonymous" />
<script src="//cdnjs.cloudflare.com/ajax/libs/bootstrap-datepicker/1.7.1/js/bootstrap-datepicker.min.js" integrity="sha256-TueWqYu0G+lYIimeIcMI8x1m14QH/DQVt4s9m/uuhPw=" crossorigin="anonymous"></script>
<link href="//cdnjs.cloudflare.com/ajax/libs/bootstrap-slider/9.8.1/css/bootstrap-slider.min.css" rel="stylesheet" integrity="sha256-qxOBz0Std9dtkon+cnUi5A7HTHO0CLbp9DnkxsJuIXc=" crossorigin="anonymous" />
<script src="//cdnjs.cloudflare.com/ajax/libs/bootstrap-slider/9.8.1/bootstrap-slider.min.js" integrity="sha256-3nkG8q6ajh1K1fHC3hi142DykXlM5TA2xX3OzP/NNJM=" crossorigin="anonymous"></script>
<link href="//cdnjs.cloudflare.com/ajax/libs/bootstrap-multiselect/0.9.13/css/bootstrap-multiselect.css" rel="stylesheet" integrity="sha256-O1jJhOIWWDc3wq75g7aXDl7aEQT2XPkieX/Mz/u4hQ0=" crossorigin="anonymous" />
<script src="//cdnjs.cloudflare.com/ajax/libs/bootstrap-multiselect/0.9.13/js/bootstrap-multiselect.min.js" integrity="sha256-1fK87Pt9T7XXn/Vj3CWSfJlZkL5f73092A8YL7p7avc=" crossorigin="anonymous"></script>

The scripts are not loaded because the integrity hash check fails in Edge.
However, this was working fine in Edge before the Fall Creators update was applied.
And these same tags continue to work in IE 11 and Chrome.

Attachments

1 attachment

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “James M.”

  • Hello,

    Thank you for providing this information about the issue. Two of the three scripts (referenced in your code sample) have errors which prevent Edge and Chrome from loading them. Once I removed those, the page loaded without error in both browsers. Please update this case by attaching a complete copy of your HTML file, or a link to a webpage we can use to see your repro steps.

    Best Wishes,
    The MS Edge Team
     

  • Thanks for looking at this, James. I am happy to help you reproduce it in any way that I can.

    This is from a dynamic, data-driven, SPA that is in development, but I have been able to isolate the issue in a stand-alone web-page, which is attached (integrity-test.html).

    I have run this page in a vanilla IIS (no web.config settings at all) and the problem occurs in Edge every time.

    With integrity-test.html page:
    In Chrome and IE 11: the 3 bootstrap plug-ins load and work correctly (from cloudflare CDN).

    In Edge (41.16299.15.0): the 3 plug-ins are not loaded.

    Some possible clues:
    These same cloudflare CDN script elements were working fine in earlier versions of Edge. I believe this only started happening after the Fall Creator’s update was applied. I have also reproduced the problem on a second Windows 10 PC (other than my development machine). Unfortunately, I don’t now have easy access to a Windows 10 machine that doesn’t have Fall Creator’s update.

    Oddly, if I open excactly the same html page via the file-system (ie an address like: file:///C:/Users/david/ … /integrity-test.html) then the scripts are loaded in Edge and work as expected.

    If I remove the integrity and crossorigin attributes from the script elements, then Edge loads the plug-ins from cloudflare as expected.

    Thanks
    Dave

  • Updating my last post, I tested the integrity-test.html page on a pre Fall-Creator’s update Windows 10 and I see the same failure now (Edge version 40.15063.674.0).
    So, I don’t know which Edge version the problem started at. But these cloudflare CDN loads were definitely working every day for many months.
    Cheers

  • A little more testing and another update, bringing another wrinkle.
    I created a brand new Windows user (on a third, different PC), opened Edge and went to my integrity-test.html page. Now the scripts loaded without a problem.
    Then I went to one of my two machines where the problem was still happening and in Edge under Settings, Clear Browsing Data I selected only “Cached data and files” and cleared.
    After this, my 3 plug-ins were working again.
    So, it looks like caching is involved and I have no idea what got 2 different PC’s into that state.
    I am left with one PC/user-profile where the issue remains. I’ll leave that alone for a few days in case you want me to investigate anything there.
    Thanks,
    Dave

  • Microsoft Edge Team

    Changed Assigned To to “travil”

    Changed Assigned To to “wptsixtri@microsoft.com”

    Changed Assigned To to “Venkat K.”

    Changed Assigned To from “Venkat K.” to “Scott W.”

  • Thank you for filing this bug Dave! Based on the fact that this issue stopped being reproducible with a new local user profile, we believe that the original user profile had Fetch and/or Service Worker enabled under experimental features which caused a resource integrity bug that has since been fixed in the latest insider preview builds.

  • Microsoft Edge Team

    Changed Status to “Fixed”

You need to sign in to your Microsoft account to add a comment.

Sign in