SRI not working with Sprockets 4

[renchap]

When using SRI (javascript_include_tag '...', integrity: true) with Sprockets 4, the integrity attribute in the <script> tag is wrong.

I made a small Rails app to reproduce the issue :

git clone https://github.com/renchap/rails-test-app.git
cd rails-test-app
git checkout system-tests-assets-integrity
bundle
rails db:migrate
rails test:system

There is a sleep in the test (https://github.com/renchap/rails-test-app/blob/system-tests-assets-integrity/test/system/home_test.rb#L9) so you can check the Selenium Chrome window's inspector, and see something like :

Failed to find a valid digest in the 'integrity' attribute for resource
'http://127.0.0.1:54861/assets/application-7bd3c6b0ca58418690a1fafb443b43e4eb07f850cb34581f9d64dee1c69465ca.js'
with computed SHA-256 integrity 'L9c5nSaUb72aW1PtxbqWaF9Jgga7DSYIUanbnXnM/aI='.
The resource has been blocked.

The asset hash is indeed wrong. In the page :

<script src="/assets/application-7bd3c6b0ca58418690a1fafb443b43e4eb07f850cb34581f9d64dee1c69465ca.js" data-turbolinks-track="reload" integrity="sha256-e9PGsMpYQYaQofr7RDtD5OsH+FDLNFgfnWTe4caUZco="></script>

Recalculating the hash to be sure:

$ curl -O http://127.0.0.1:54944/assets/application-7bd3c6b0ca58418690a1fafb443b43e4eb07f850cb34581f9d64dee1c69465ca.js
2fd7399d26946fbd9a5b53edc5ba96685f498206bb0d260851a9db9d79ccfda2  application-7bd3c6b0ca58418690a1fafb443b43e4eb07f850cb34581f9d64dee1c69465ca.js
$ ruby -e 'puts [["2fd7399d26946fbd9a5b53edc5ba96685f498206bb0d260851a9db9d79ccfda2"].pack("H*")].pack("m0")'
L9c5nSaUb72aW1PtxbqWaF9Jgga7DSYIUanbnXnM/aI=

I havent looked at how Sprockets calculates the hash, but it is definitely wrong.

[renchap]

@eileencodes I dont know if you want to have a look at this one too, I think it is not related to Rails System Testing but to Sprockets.

[Fudoshiki]

Same in localhost and production with https
Sprockets 4.0.0.beta6 and master branch

[eileencodes]

Hrm, I can't imagine this is caused by system tests. Can you reproduce using Capybara and Selenium without system tests? We don't do anything special, it's just a wrapper around those tools.

[Fudoshiki]

This isn't system tests failure, SRI don't work in Sprockets 4.0.0.beta6 and master in all modes
Helper return wrong sha-256 integrity

[eileencodes]

OK thanks @Fudoshiki - I misread your comment 😄

@renchap can you update the title / info to reflect the new information? Thanks

[renchap]

I forgot about this issue :) Title updated!

[Fudoshiki]

any plans to fix this?

[ziaulrehman40]

This issue is forcing us to stay on v3 for now.

[isaacbowen]

I'm working around this with Rails.application.config.assets.version = '', in my config/initializers/assets.rb, with sprockets 4 and rails 6. This works becaaauuuse:

https://github.com/rails/sprockets/blob/08fef08562c7a6a13a7c521938e83409a33e2b77/lib/sprockets/loader.rb#L198

We're using digests in asset urls, so (unless I'm missing something) it's totally unnecessary for us to have version as a mechanism for expiring assets.

[rafaelfranca]

Closed by 5038ad5368eb8792465c2eaad453a296ce2180e0