Fingerprint SRI outputs html-codes

Hi all,

I’m having trouble using Fingerprinting / SRI + CSP: The resulting integrity hash contains HTML escaped codes like + instead of +

Chrome console outputs: Unrecognized Content-Security-Policy directive ‘M=’’.

Here’s the code I used:

{{- $load_plausible := resources.Get "js/load_plausible.js" -}}
{{- $header := $load_plausible | resources.Minify | resources.Fingerprint "sha256" -}}
<script src="{{ $header.RelPermalink }}" integrity="{{ $header.Data.Integrity }}" crossorigin="anonymous"></script >

Results in:

<script src="/js/load_plausible.min.b49a185a40bc39dad22cd78a74048565c6c426d0f01b148fc2d124e94c4093e3.js" integrity="sha256-tJoYWkC8OdrSLNeKdASFZcbEJtDwGxSPwtEk6UxAk&#43;M=" crossorigin="anonymous"></script>

I’ve tried safeHTML and htmlUnescape, but can’t find a solution. I did have succes when adding this to the config:

    isPlainText = true

But that doesn’t seem to be the right way to solve this. What am I doing wrong?

Thanks a lot!

Using Hugo 0.81.0-extended

Is this a new problem? As in, did it work in earlier versions?

Ah, didn’t thought of that. Just tested with

Hugo Static Site Generator v0.80.0-792EF0F4/extended linux/amd64 BuildDate: 2020-12-31T13:46:18Z

And the problem is gone in 0.80.0. So yes, this is new for 0.81.0.


OK, that does sound like an upstream (aka Go) bug. I will check:

2 questions:

  1. Is there a newline in the output after the hyphen (e.g “sha256-” newline)?
  2. Do you happen to have this project stored somewhere for me to look at? (e.g. GitHub?)
  1. No.
    This is a 0.81.0 build of the website:

  2. I’ve invited your @bep1 Gitlab account to the private git repo. If that’s not you I’ll probably be fired tomorrow :slight_smile:

bep1 is me! And thanks for this, I did some general testing with SRI and could not reproduce what you see, so I assume it’s something else that makes that happen (a corner case of some sort).

I had a look at this.

So, this behaviour hasn’t changed in Hugo, the reason you see it now is that we have updated the minifier so you get a new hash.

So, Go encodes the “+” character, which may be ways around, but that should be a perfectly valid integrity value – and Chrome does not complain about it for me. So, I don’t understand your setup and why this fails for you.

What you can do is this:

<script src="{{ $header.RelPermalink }}" integrity="{{ $header.Data.Integrity | html }}" crossorigin="anonymous"></script>

Can confirm that | html fixes the issue. Which is great. Thank you!

As for my setup; I’ll keep in mind that there’s something specific going on when encountering future issues :slight_smile:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.