Fingerprint 生成的 integrity 会带分号 “;”,请问如何去掉这个分号?

中文
22

别担心吧。我也是回复Jmooring(开源者)这个怪问题。

资本上,我们双方都已经运用同样的Hugo版本,同样的实验代码和现在同样的Server命令而既然会有不同样的成果。要等他们会不会开GitHub单位看看了。

暂时性,您就运用--minify或那HTMLUnescape方式吧。

有点好奇: <script src="http://localhost:41771/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js" integrity="sha256-vr8D5wP7tDKB67QvAXK&#43;IxCVbWnStuegYrZX3SKnBPA="></script> 这个在Chome运用时会失败吗?

Translate to English:

Not to worry. I’m replying to Jmooring (Developer) about the matter.

Basically, we both use the same hugo version, same test codes, and same server commands but producing different output. Will have to wait for them to give green light to create GitHub ticket for investigating the matter.

For now, you can use the --minify or htmlUnescape workaround.

Just curious, this <script src="http://localhost:41771/main.bebf03e703fbb43281ebb42f0172be2310956d69d2b6e7a062b657dd22a704f0.js" integrity="sha256-vr8D5wP7tDKB67QvAXK&#43;IxCVbWnStuegYrZX3SKnBPA="></script>, when used on Chrome, will it fail to operate?

23

Please do not create a GitHub issue.

git clone --single-branch -b hugo-forum-topic-45374 https://github.com/jmooring/hugo-testing hugo-forum-topic-45374
cd hugo-forum-topic-45374
hugo server

First, look in the terminal console

WARN  sha256-U2B5qiZ9Wi9zEvSBZq2/NspY04zDZXcNyXJY+disnbc=
                                                 -

The plus sign in the .Data.Integrity value is not encoded.

Next, view source by pressing Ctrl+U in your browser

integrity="sha256-U2B5qiZ9Wi9zEvSBZq2/NspY04zDZXcNyXJY&#43;disnbc="
                                                      -----

The plus sign is encoded by Go’s html/template package. There’s a related issue that’s been open for a few years, but there’s not a strong case to change anything.

Next, view the HTML as interpreted by your browser (dev tools)

integrity="sha256-U2B5qiZ9Wi9zEvSBZq2/NspY04zDZXcNyXJY+disnbc=" 
                                                      -

The browser decodes &#43; to + as expected, and the SRI check passes.

If you don’t trust the browser to properly decode…

<link rel="stylesheet" href="{{ .RelPermalink }}" {{ printf "integrity=%q" .Data.Integrity | safeHTMLAttr }} crossorigin="anonymous">
4 Likes
24

当 integrity 中存在分号 ; 时,Chrome、Edge 等浏览器是可以正常通过校验的,只是我在配置 HTTP2 Server Push 时,分号才影响到了我的配置,否则这个问题其实可以忽略

25

原来如此。那Hugo出产的SRI不是问题了,这个题目也不是问题啦。 网页HTML数据有关的代码为了网络安全是一定要被安全定义化(原因已经解释如上)。

凡是网页系统(如Chrome, Firefox) 都必须能先无条件地解读HTML安全转化的代码后才运用数据。如果您的某某系统无法这么做呢,那Bug是来自那个系统的解读程序有关了。

好啦,可以安心关档睡觉了。=)

Translate to English:

I see. In that case, Hugo’s generated SRI is not a problem at all. In fact, this thread is not a problem at all. For web safety, HTML data-related codes are always encoded in escaped characters for safety purposes (reason already presented above).

Any HTML related software (e.g. Chrome, Firefox) must be able to unconditionally unescaping HTML data-related codes before consumption. Otherwise, the bug is related to and originated from that software’s decoding algorithm.

Okay, we can close the case now and have a good sleep. =)

Site-note: Thanks jmooring!

1 Like
26

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.