[4.0] Script/Style hash validation broken

[wilsonge]

Steps to reproduce the issue

@SharkyKZ found the reason here: #26505 (comment)

Since #25357 rendered scripts/styles have formatting added to them. But the hash is generated from scripts/styles without formatting. So the hashes don't match scripts/styles that appear on the page.

Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:

joomla-cms/libraries/src/Document/Renderer/Html/HeadRenderer.php

Line 231 in 56d8a35

$buffer .= $tab . $tab . '/*<![CDATA[*/' . $lnEnd;

Expected result

CSP Script hashes work

Actual result

They don't

[zero-24]

Ok found the real reason for this. It has nothing todo with the CDATA stuff but with the $tab and $lnEnd stuff. I'm working on a patch

[zero-24]

Please see: #28719

[zero-24]

Just for a note

Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:

We only run CSP on HTML pages so this CDATA stuff was not the reason.