Integrity hash generated on a different file than the one built

Question

Integrity hash generated on a different file than the one built

Samy-Belarbi opened this issue a year ago · comments

Hey, it's me again ! 😬

Thanks again for your work.

I implemented, in my company app, your new SRI Feature and i am facing an error :

Failed to find a valid digest in the 'integrity' attribute for resource 'example.js' with computed SHA-384 integrity 'FFnZ[...]'. The resource has been blocked.

So i tried to locally generate a hash for my example.js, and it does not match the one generated in the entrypoints.json (but it matches the integrity hash given by my browser, shared in the error message).

After some few investigations, it looks like the chunk example.js given to the generateHash() in vite-plugin-symfony isn't exactly the same as the example.js built in my build folder. The one given has some __VITE_PRELOAD__ inside his code near where i do some lazy imports with React.

If you need some more informations please let me know.

Have a great day !

Hugues Tavernier · Answer 1 · Sat Sep 09 2023 19:27:18 GMT+0800 (China Standard Time)

hi @Samy-Belarbi, the Hash is generated inside the rollupHook : generateBundle (getFileInfos function https://github.com/lhapaipai/vite-plugin-symfony/blob/main/src/index.ts#L217)
Have you try to order vite-plugin-symfony at the end of your plugins list, after the plugin who transform __VITE_PRELOAD__ ? https://vitejs.dev/guide/using-plugins.html#enforcing-plugin-ordering.
else can you give me a reproductive example ?
good afternoon !

PaulSenon · Answer 2 · Thu Sep 14 2023 00:37:28 GMT+0800 (China Standard Time)

Have the same issue, and symfonyPlugin() is my only plugin. So I can't reorder anything.

Here is the vite config:

import { defineConfig } from 'vite';
import symfonyPlugin from 'vite-plugin-symfony';

export default defineConfig(() => {
  return {
    plugins: [
      symfonyPlugin({
        sriAlgorithm: "sha256",
      }),
    ],
    resolve: {
      alias: [
        {
          find: '@js',
          replacement: fileURLToPath(
            new URL('./path/to/my/js/asset/root', import.meta.url),
          ),
        },
      ],
    },
    build: {
      rollupOptions: {
        input: {
          // JS
          entrypoint1_js: "my/path/to/my/js/entrypoint1",
          entrypoint2_js: "my/path/to/my/js/entrypoint2",

          // CSS
          entrypoint1_css: "my/path/to/my/sass/entrypoint1",
          entrypoint2_css: "my/path/to/my/sass/entrypoint2",
        },
      },
    },
  };
});

From my investigation, yes it is because the hash is computed before __VITE_PRELOAD__ are replaced. But I'm new to this and don't know what is supposed to handle this.

Hope it helps a bit.

I'll update this thread if I ever spend more time on it :)

Darryl Hein · Answer 3 · Fri Sep 29 2023 11:06:20 GMT+0800 (China Standard Time)

I'm having the same issue.

Hugues Tavernier · Answer 4 · Fri Oct 06 2023 17:52:14 GMT+0800 (China Standard Time)

fixed with vite-plugin-symfony v4.2.0 : lhapaipai/vite-plugin-symfony@ce2783b

documentation on : https://symfony-vite.pentatrion.com/config/vite-plugin-symfony.html#enforcepluginorderingposition

in your case you will have to leave the enforcePluginOrderingPosition to true (which is the default value).