Workbox PWA broken due to integrity hash mismatch

[thexeos]

Issue Details

• AdGuard version:
  • v3.6.4 (32)
• Filtering mode:
  • Local VPN
• Device:
  • Galaxy A5 (2017)
• Operating system and version:
  • Android 8.0.0
• Root access:
  • No

Description

When Workbox-based PWAs update (assuming their install was not blocked by any of the filters), the list of files to update may contain integrity attributes, corresponding to SRI hashes. If the hash of the received (server) response does not match the stored hash - the file download, and by extension the update process, fails.

I am seeing these two lines added to the response body for index.html from the PWA's domain (after <meta charset=utf-8> tag):

<script type="text/javascript" nonce="4faaa0101c3b4442b4e06e195dd" src="//local.adguard.org?ts=1635450354873&amp;type=content-script&amp;dmn=domain.com&amp;app=com.android.chrome&amp;css=3&amp;js=1&amp;rel=1&amp;rji=1&amp;sbe=0&amp;stealth=1&amp;uag=&amp;trref=aHR0cHM6Ly9kb21haW4uY29tLw=="></script>
<script type="text/javascript" nonce="4faaa0101c3b4442b4e06e195dd" src="//local.adguard.org?ts=1635450354873&amp;name=AdGuard%20Extra&amp;type=user-script"></script>

Generally, you can tell that the request was made by the Service Worker by inspecting the Referrer header in the request, which would typically look like 'https://domain.com/service-worker.js'.

Either way, this seems to be a recent breaking change, as this specific PWA was able to update through the same mechanism for over a year. From user perspective, this is an issue with the PWA and AdGuard would be the last place they'll look when trying to troubleshoot failed "app" updates.

I can provide the domain name of the PWA, if that would make any difference.

[Birbber]

Issue moved to AdguardTeam/CoreLibs #1539 via ZenHub