子资源完整性保护在Chrome中不起作用
[英]Subresource Integrity Protection doesn't work in Chrome
问题描述
I added integrity and crossorigin tags to my scripts according to Subresource Integrity , but now they give an error in the console saying 
我根据Subresource Integrity在脚本中添加了integrity和crossorigin标签,但现在它们在控制台中显示错误,提示
Script from origin ' http://pagead2.googlesyndication.com ' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Here is the script: 这是脚本:
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"
integrity="sha256-5xwrIw3xU3VvipjVMZNyf6+27C/a1Pxl3U0jl3hTcao="
crossorigin="anonymous"></script> <!-- Banner --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-3346556035533863" data-ad-slot="8052306231"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script>
Here is the derivation: 这是推导:
$ curl -s http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | openssl dgst -sha256 -binary | openssl base64 -A
5xwrIw3xU3VvipjVMZNyf6+27C/a1Pxl3U0jl3hTcao=
I also added the attributes to an Amazon script, and that fails too. 我也将属性添加到Amazon脚本中,并且也失败了。
Script from origin ' http://s3.amazonaws.com ' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
<script async="async" type="text/javascript" src="//s3.amazonaws.com/cc.silktide.com/cookieconsent.latest.min.js"
integrity="sha256-/8egBZx4+UIzXH8il2CNdL5+npDYgoAsjC76KHO/re4=" crossorigin="anonymous"></script>
Chrome supports SRI: http://enable-cors.org/client.html , https://www.chromestatus.com/feature/6183089948590080 Chrome支持SRI: http://enable-cors.org/client.html , https://www.chromestatus.com/feature/6183089948590080
I verified the hash is generating correctly using the example in the specifications: http://www.w3.org/TR/SRI/#integrity-metadata 我使用规范中的示例验证了散列是否正确生成: http : //www.w3.org/TR/SRI/#integrity-metadata
So why isn't it working? 那为什么不起作用呢? It works without the two new attributes. 它无需两个新属性即可工作。
Ref: https://www.srihash.org/ 参考: https : //www.srihash.org/
Chrome Version 46.0.2490.86 m Chrome版本46.0.2490.86 m
1 个解决方案
解决方案1
1 已采纳 2015-11-24 19:54:23
I think it was because the server did not specifically allow CORS, so Chrome blocked it. 我认为这是因为服务器未明确允许CORS,因此Chrome阻止了它。 Silktide cookie script moved to Cloudflare, which explicitly does have Access-Control-Allow-Origin , so now it works. Silktide cookie脚本已移至Cloudflare,后者明确具有Access-Control-Allow-Origin ,因此现在可以使用。 I don't know why the browser would care whether the server allows cross-origin scripts or not. 我不知道为什么浏览器会关心服务器是否允许跨域脚本。 It seems that as long as the hashes match it doesn't really matter where it comes from. 看起来,只要哈希值匹配,它的来源并不重要。
<script async="async" type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/1.0.9/cookieconsent.min.js"
integrity="sha256-GQ/ALY6PHdWsxA9I0NYgPmEV6zHj9H9V2ww/B3l9aPA=" crossorigin="anonymous"></script>
Server headers: 服务器头:
$ curl -I http://cdnjs.cloudflare.com/ajax/libs/cookieconsent2/1.0.9/cookieconsent.min.js
HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 19:37:10 GMT
Content-Type: application/javascript
Connection: keep-alive
Last-Modified: Mon, 19 Oct 2015 15:05:30 GMT
Expires: Sun, 13 Nov 2016 19:37:10 GMT
Cache-Control: public, max-age=30672000
Access-Control-Allow-Origin: *
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 24a791216c9b03f4-EWR
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.