Skip to content

fix(#1100): remove SRI integrity from prism-tomorrow.min.css to prevent intermittent blocking#1115

Closed
bergeouss wants to merge 2 commits intonesquena:masterfrom
bergeouss:fix/1100-prism-sri-fallback
Closed

fix(#1100): remove SRI integrity from prism-tomorrow.min.css to prevent intermittent blocking#1115
bergeouss wants to merge 2 commits intonesquena:masterfrom
bergeouss:fix/1100-prism-sri-fallback

Conversation

@bergeouss
Copy link
Copy Markdown
Contributor

@bergeouss bergeouss commented Apr 26, 2026

Thinking Path

  • SRI integrity check for prism-tomorrow.min.css fails intermittently
  • jsdelivr CDN serves different SHA-384 digests across edge nodes
  • When the check fails, the browser blocks the CSS entirely → no syntax highlighting
  • The fix: remove integrity attribute from the CSS link tag
  • Version pinning (@1.29.0 in URL) still provides supply-chain assurance
  • Prism JS files keep SRI (they are less affected by CDN edge issues)

What Changed

  • static/index.html: Removed integrity attribute from the prism-tomorrow.min.css <link> tag. Added a comment explaining why. Kept crossorigin="anonymous". Prism JS <script> tags retain their SRI attributes.

Why It Matters

Multiple users reported code blocks losing syntax highlighting due to SRI failures. The browser logs Failed to find a valid digest in the 'integrity' attribute. This completely breaks the code viewing experience. After this fix, syntax highlighting loads reliably.

Verification

  • pytest tests/test_issue1100_prism_sri.py -v — 4/4 pass

Risks / Follow-ups

  • Reduced SRI protection on one CSS file — acceptable tradeoff for reliability
  • A proper fix would be self-hosting Prism.js or using a subresource integrity cache
  • Prism JS SRI is retained; only the CSS theme is affected

Model Used

  • Provider: zai
  • Model: glm-5-turbo
  • Tools: Hermes Agent

Closes #1100

@bergeouss
fix(nesquena#1100): remove SRI integrity from prism-tomorrow.min.css …
e519947 
…to prevent intermittent blocking

- jsdelivr serves different SHA-384 digests across edge nodes
- This caused the browser to block the CSS, breaking syntax highlighting
- Version pinning (@1.29.0) is sufficient for supply-chain assurance
- Prism JS files keep SRI (less affected by CDN edge issues)
- Add 4 tests
@nesquena-hermes nesquena-hermes added the bug Something isn't working label Apr 26, 2026
@nesquena-hermes
Copy link
Copy Markdown
Collaborator

nesquena-hermes commented Apr 26, 2026

Hold — fix is incomplete: _setResolvedTheme in boot.js still applies SRI

Good thinking on the SRI approach! The index.html change is correct, but it only covers the initial dark-theme link that's baked into the HTML. There's a second code path that re-applies the integrity attribute dynamically and that one isn't touched.

In static/boot.js, _setResolvedTheme() (~lines 651–654):

const wantIntegrity = isDark
  ? 'sha384-wFjoQ...'
  : 'sha384-rCCjoCPC...';
if (link.href !== want) { link.integrity = wantIntegrity; link.href = want; }

When the user switches themes (or on first load when the theme resolves from system preference), _setResolvedTheme fires and puts the integrity attribute back on the <link> tag — which triggers exactly the CDN edge-digest mismatch you're fixing. Light-theme users (the path that hits rCCjoCPC...) never benefit from the index.html change.

To fix:

  1. In _setResolvedTheme in boot.js, remove the link.integrity = wantIntegrity assignment (and remove the wantIntegrity variable if it's now unused)
  2. Update the tests to also verify _setResolvedTheme doesn't re-apply integrity

Once that's in, this should merge cleanly — the approach is right, it just needs to cover both theme paths.

@bergeouss
fix: also remove SRI integrity from _setResolvedTheme in boot.js
fa4f96d 
_setResolvedTheme was re-applying integrity attribute on theme switch,
causing the same CDN edge-digest mismatch. Now clears integrity on theme
change. Added test to verify _setResolvedTheme doesn't set SRI hashes.
@nesquena-hermes nesquena-hermes added merge soon Reviewed and queued for next release batch and removed hold labels Apr 26, 2026
@nesquena-hermes
Copy link
Copy Markdown
Collaborator

nesquena-hermes commented Apr 26, 2026

Nice fix — that's exactly right. link.integrity='' in _setResolvedTheme cleanly clears any stale value on theme switch, covering both the light and dark paths. Moving to merge queue.

@nesquena-hermes nesquena-hermes mentioned this pull request Apr 26, 2026
Merged
nesquena-hermes added a commit that referenced this pull request Apr 26, 2026
@nesquena-hermes
v0.50.222: Korean locale, provider fixes, reasoning chip boot, Prism …
4528c6c 
…SRI (#1119)

* feat: add Korean locale support (#1093, @jundev0001) — 615 keys, copy_failed added

* fix(#1094): provider deletion + false positive API key + threading deadlock (#1102, @bergeouss)

* fix(#1103): show reasoning chip on page load not only after session load (#1114, @bergeouss)

* fix(#1100): remove Prism CSS SRI integrity to fix intermittent blocking (#1115, @bergeouss)

* fix(tests): update copy_failed locale count for 7 locales (Korean added)

* fix: drop unused _cfg_cache import; update locale count comment

---------

Co-authored-by: nesquena-hermes <[email protected]>
@nesquena-hermes
Copy link
Copy Markdown
Collaborator

nesquena-hermes commented Apr 26, 2026

Absorbed and shipped in v0.50.222 (PR #1119). Closing — thanks!

@nesquena-hermes nesquena-hermes mentioned this pull request Apr 27, 2026
Closed
JKJameson pushed a commit to JKJameson/hermes-webui that referenced this pull request Apr 29, 2026
@nesquena-hermes
v0.50.222: Korean locale, provider fixes, reasoning chip boot, Prism …
45ec93a 
…SRI (nesquena#1119)

* feat: add Korean locale support (nesquena#1093, @jundev0001) — 615 keys, copy_failed added

* fix(nesquena#1094): provider deletion + false positive API key + threading deadlock (nesquena#1102, @bergeouss)

* fix(nesquena#1103): show reasoning chip on page load not only after session load (nesquena#1114, @bergeouss)

* fix(nesquena#1100): remove Prism CSS SRI integrity to fix intermittent blocking (nesquena#1115, @bergeouss)

* fix(tests): update copy_failed locale count for 7 locales (Korean added)

* fix: drop unused _cfg_cache import; update locale count comment

---------

Co-authored-by: nesquena-hermes <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working merge soon Reviewed and queued for next release batch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Prism.js theme SRI integrity check fails intermittently — code blocks lose syntax highlighting

2 participants

@bergeouss @nesquena-hermes