search

webcompat / web-bugs

A place to report bugs on websites.
https://webcompat.com
Mozilla Public License 2.0
734 stars 63 forks source link

github.factset.com - design is broken #14307

Closed lonelydev closed 6 years ago

lonelydev commented 6 years ago

URL: https://github.factset.com/cmt/cmt/pulls?q=is%3Apr+is%3Aopen+reviewed-by%3Aegopalakrish

Browser / Version: Firefox 58.0 Operating System: Windows 7 Tested Another Browser: Yes

Problem type: Design is broken Description: None of the "sha256" hashes in the integrity attribute match the conten tof the subresource Steps to Reproduce: Just tried to load the site. layout.css.servo.enabled: true the site loads in chrome. As the design is so badly broken, the site is pretty much unusable on firefox. Screenshot Description

From webcompat.com with ❤️

karlcow commented 6 years ago

@lonelydev Thanks for the report. For now I don't get any site at all from my location.

Screenshot Description

karlcow commented 6 years ago

https://factset.com/ is working. Is this an internal website ?

karlcow commented 6 years ago

It looks like it. Something done for GitHub Enterprise. Probably a private repo. Fwiw it looks like something is blocking the CSS or JS. Do you have any ads blocker by chance.

lonelydev commented 6 years ago

hey, it is an internal website. there are no ads being served on the internal website. the console error is the sha problem image

lonelydev commented 6 years ago

the site works perfectly fine in chrome.

lonelydev commented 6 years ago

but as firefox is my favourite browser I don't generally like using chrome.

lonelydev commented 6 years ago

A screenshot of how bad the page is: image

miketaylr commented 6 years ago

Yeah, if subresource integrity fails, the browser should refuse to load that resource. So that explains why there's no CSS loading on the page, and possibly some JS. See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity for more info.

Hard to say if this is the server that is misconfigured, or if we've regressed something.

@lonelydev does the site load in earlier versions of Firefox, say 56 or 57?

miketaylr commented 6 years ago

Possibly @fmarier might be aware of similar issues, or ideas on how to proceed with debugging.

fmarier commented 6 years ago

If you wget the affected subresource and then compute its hash manually as per the instructions on https://www.srihash.org/, does it match the hash that's in the integrity attribute inside the page?

lonelydev commented 6 years ago

@miketaylr I read about the subresource integrity article. But if that is the case why does it load properly in chrome. At work here this is an excuse for my fellow chrome loving colleagues to mock me. We only just moved to github enterprise. So I am not aware of how it worked in earlier versions of Firefox. @fmarier I will try out what you said and post an update here.

miketaylr commented 6 years ago

Hi @lonelydev,

But if that is the case why does it load properly in chrome.

It's entirely possible Firefox has a bug, or that Chrome isn't following the spec and is displaying the content when it shouldn't be. Either way, your help will make the web better, so thanks for reporting. 💯

Any followup with the info requested via https://www.srihash.org/ will be super helpful. Thanks!

lonelydev commented 6 years ago

I logged into my company's Linux host and ran the following:

wget https://assets.githubdev.factset.com/assets/frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.js
--2017-12-21 10:11:39--  https://assets.githubdev.factset.com/assets/frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.js
Resolving assets.githubdev.factset.com... 164.55.141.149
Connecting to assets.githubdev.factset.com|164.55.141.149|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 252541 (247K) [application/javascript]
Saving to: `frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.js'

100%[===============================================================================================================================================================================================>] 252,541     --.-K/s   in 0.004s

2017-12-21 10:11:39 (65.2 MB/s) - `frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.js' saved [252541/252541]

Then I followed instructions from https://www.srihash.org/ I ran the following:

openssl dgst -sha384 -binary frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.js | openssl base64 -A
LvV3S+nbza+U6NLb+86VrdhBCTfeScd8ne+8U2Ejbt+9mVmPjXxNoExvVm5lvbF+

That clearly does not match the integrity attribute's value of the resource. Because the integrity attribute's value is sha256-m+J/NoR59Mraotv0ZCx5ia+sOW1sYew+xBEqoK0klKs=

However the value does mention sha256. So I ran the same openssl command with sha256 and got the right value. 

openssl dgst -sha256 -binary frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.js | openssl base64 -A
m+J/NoR59Mraotv0ZCx5ia+sOW1sYew+xBEqoK0klKs=

Does this mean that Firefox fails the sha256 tests?

To my surprise I was wrong. Because I opened http://w3c-test.org/subresource-integrity/subresource-integrity.sub.html and the version of Firefox I use actually passed all of it, including the sha256 version.

image

All the resources css, javascript etc on the locally hosted enterprise github have crossorigin="anonymous" and integrity attributes

fmarier commented 6 years ago

Thanks for the extra details @lonelydev. I opened a bug for this (https://bugzilla.mozilla.org/show_bug.cgi?id=1426765) since it looks like it might be a bug in Firefox. I will need to investigate this further to determine the exact cause.

Could you please either attach the affected .js file on the bug (if you have a bugzilla account) or email it to me (francois@mozilla.com)? I would also like to see the full <script> tag from the HTML of that page.

Thanks again for the report!

lonelydev commented 6 years ago

The full script tag is:

<script crossorigin="anonymous" integrity="sha256-m+J/NoR59Mraotv0ZCx5ia+sOW1sYew+xBEqoK0klKs=" src="https://assets.github.factset.com/assets/frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.js"></script>
lonelydev commented 6 years ago

Attaching the .js file as a .log file as it wouldn't let me attach javacript files. The file is minified so I don't know how useful it is.

frameworks-9be27f368479f4cadaa2dbf4642c7989afac396d6c61ec3ec4112aa0ad2494ab.log

softvision-sergiulogigan commented 6 years ago

https://bugzilla.mozilla.org/show_bug.cgi?id=1426765 was opened for this reported issue. Closing this one as duplicate.

mozfreddyb commented 6 years ago

@lonelydev There are some additional questions. Can you take a look at https://bugzilla.mozilla.org/show_bug.cgi?id=1426765#c4 ? No worries if you have no Bugzilla account. Just reply here instead and I'll copy things over for you

(hoping that there won't be a lot of back and forth. If that's the case, I'll let you know)