Is there a flag to disable subresource integrity checking in chromium?

Question

We're using puppeteer and sometimes playwright to run some integration tests. We mock some of the target page's script dependencies, which causes subresource integrity hash mismatches.

Failed to find a valid digest in the 'integrity' attribute for resource 'http://localhost:3000/static/third-party/adobe-target/at-js/2.4.0-cname/at.js' with computed SHA-256 integrity '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='. The resource has been blocked."

Is there a way to disable integrity hash checking via a flag or configuration property?

Answer 1

No. I believe the only way is to fix or remove the integrity attribute from the source that loads the script.

Looking at the chromium (or blink) source, unless the integrity attribute is empty, the FetchManager::Loader will instantiate the SRIVerifier, whose constructor calls its OnStateChange method, where for response types of basic, cors, default (leaving out opaque responses and errors), SubresourceIntegrity::CheckSubresourceIntegrity is called. Unless the parsing of the integrity attribute fails, SubresourceIntegrity::CheckSubresourceIntegrityImpl will either successfully verify one of the digests, or it will fail with the given error message. There is no configuration option checked along this path to override a failed check.

Answer 2

I confirm that you can't do this in Chrome. The reason being that it's not implemented behind a runtime flag. A flag like this can technically be added but probably not worth it.

I'm sure you can work around this, e.g. load puppeteer with an extension that removes the integrity attribute, or remove the attribute from within puppeteer?