Magento 2.4.8 Multi-Website Checkout Blocked: Navigating the SRI Hash Mismatch Bug
As e-commerce platforms evolve, new features are constantly introduced to enhance security and performance. Magento 2.4.8 brought Subresource Integrity (SRI) to its Content Security Policy (CSP) module, a welcome addition aimed at preventing malicious script injections. However, as highlighted in GitHub issue #40807, this new security layer inadvertently introduced a critical bug that could bring multi-website Magento installations to a grinding halt, specifically impacting the checkout process on non-base websites.
The Core Problem: SRI Hash Misplacement in Magento 2.4.8
The issue, reported by jigardhaduk, details a severe problem affecting Magento 2.4.8 environments configured with multiple websites under a single installation. The setup typically involves:
- Magento Version: 2.4.8
- Module Affected:
magento/module-csp - PHP Version: 8.4.21
- Setup: Multiple websites (e.g., 3) on a single Magento install, sharing a single
pub/static/directory, all utilizing the Magento Luma theme anden_USlocale.
The root cause lies in how Magento 2.4.8 generates the sri-hashes.json file. Instead of placing this crucial file within the theme and locale-specific path (e.g., pub/static/frontend/Magento/luma/en_US/sri-hashes.json), it incorrectly writes it to the root of the static content directory: pub/static/frontend/sri-hashes.json. This misplacement leads to a critical integrity mismatch when browsers attempt to load JavaScript files on non-base websites.
Impact: Broken Checkout on Non-Base Websites
The consequences of this bug are immediate and severe. When users attempt to proceed with checkout on any website other than the one configured as the base scope, the browser console throws a SHA-256 integrity mismatch error, effectively blocking essential JavaScript files from loading. The error message typically looks like this:
SHA-256 integrity '5TLFpQkwsvDijbV/X/uwSESFj7AZkTFhIcZDV8mqv2w='. The resource has been blocked.This blocking of resources renders the checkout process completely inoperable, a nightmare scenario for any e-commerce merchant. The author notes that deleting the incorrectly placed pub/static/frontend/sri-hashes.json file temporarily restores checkout functionality, confirming the misdirected file as the culprit.
Steps to Reproduce and Community Resolution
Reproducing the issue is straightforward:
- Install Magento 2.4.8.
- Create multiple websites (e.g., 3) under a single Magento installation, each with a separate domain.
- Ensure all websites use the Magento Luma theme and
en_USlocale. - Run the static content deployment command:
php bin/magento setup:static-content:deploy en_US -f - Attempt to complete checkout on any non-base website.
While the issue body itself doesn't contain comment discussions, the "Progress: done" and "Issue: ready for confirmation" labels indicate that the Magento community and core team have acknowledged this critical bug. Typically, such issues lead to either an official patch release, a hotfix, or a recommended workaround provided by Adobe Commerce. For merchants and developers running multi-website Magento 2.4.8 installations, monitoring official Magento updates and applying any relevant patches or hotfixes addressing this SRI hash misplacement is paramount to ensure uninterrupted checkout functionality across all storefronts.
This incident underscores the importance of thorough testing, especially in complex multi-website environments, when upgrading to new Magento versions or enabling new security features. Staying informed about community discussions and official resolutions is key to maintaining a stable and secure e-commerce platform.