GithubHelp home page GithubHelp logo

classicvalues / webpack-subresource-integrity Goto Github PK

View Code? Open in Web Editor NEW

This project forked from discord/webpack-subresource-integrity

0.0 1.0 0.0 60 KB

Webpack plugin for enabling Subresource Integrity.

License: MIT License

Emacs Lisp 0.22% JavaScript 98.50% HTML 1.17% CSS 0.11%

webpack-subresource-integrity's Introduction

webpack-subresource-integrity

npm version Build Status Dependency Status GitHub license

Webpack plugin for enabling Subresource Integrity.

Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation.

Features

  • Optional integration with html-webpack-plugin
  • Support for code-splitting (integrity for lazy-loaded chunks)
  • Compatible with Webpack 1.x and 2.x

Installation

npm install webpack-subresource-integrity --save-dev

Webpack Configuration Example

import SriPlugin from 'webpack-subresource-integrity';

const compiler = webpack({
    output: {
        crossOriginLoading: 'anonymous',
    },
    plugins: [
        new SriPlugin({
            hashFuncNames: ['sha256', 'sha384'],
            enabled: process.env.NODE_ENV === 'production',
        }),
    ],
});

Setting the integrity attribute for top-level assets

For the plugin to take effect it is essential that you set the integrity attribute for top-level assets (i.e. assets loaded by your HTML pages.)

With HtmlWebpackPlugin

When html-webpack-plugin is injecting assets into the template (the default), the integrity attribute will be set automatically. The crossorigin attribute will be set as well, to the value of output.crossOriginLoading webpack option. There is nothing else to be done.

With HtmlWebpackPlugin({ inject: false })

When you use html-webpack-plugin with inject: false, you are required to set the integrity and crossorigin attributes in your template as follows:

<% for (var index in htmlWebpackPlugin.files.js) { %>
  <script
     src="<%= htmlWebpackPlugin.files.js[index] %>"
     integrity="<%= htmlWebpackPlugin.files.jsIntegrity[index] %>"
     crossorigin="<%= webpackConfig.output.crossOriginLoading %>"
  ></script>
<% } %>

<% for (var index in htmlWebpackPlugin.files.css) { %>
  <link
     href="<%= htmlWebpackPlugin.files.css[index] %>"
     integrity="<%= htmlWebpackPlugin.files.cssIntegrity[index] %>"
     crossorigin="<%= webpackConfig.output.crossOriginLoading %>"
     rel="stylesheet"
  />
<% } %>

Without HtmlWebpackPlugin

The correct value for the integrity attribute can be retrieved from the integrity property of Webpack assets. However, that property is not copied over by Webpack's stats module so you'll have to access the "original" asset on the compilation object. For example:

compiler.plugin("done", stats => {
    const mainAssetName = stats.toJson().assetsByChunkName.main;
    const integrity = stats.compilation.assets[mainAssetName].integrity;
});

Note that you're also required to set the crossorigin attribute. It is recommended to set this attribute to the same value as the webpack output.crossOriginLoading configuration option.

Options

hashFuncNames

Required option, no default value.

An array of strings, each specifying the name of a hash function to be used for calculating integrity hash values. For example, ['sha256', 'sha512'].

See SRI: Cryptographic hash functions

enabled

Default value: true

When this value is falsy, the plugin doesn't run and no integrity values are calculated. It is recommended to disable the plugin in development mode.

crossorigin

DEPRECATED. Use webpack option output.crossOriginLoading instead.

Default value: "anonymous"

When using HtmlWebpackPlugin({ inject: true }), this option specifies the value to be used for the crossorigin attribute for injected assets.

The value will also be available as htmlWebpackPlugin.options.sriCrossOrigin in html-webpack-plugin templates.

See SRI: Cross-origin data leakage and MDN: CORS settings attributes

Caveats

Browser support

Browser support for SRI is currently patchy. Your page will still work on browsers without support for SRI, but subresources won't be protected from tampering.

See Can I use Subresource Integrity?

Broken browser versions

There is a known bug relating to SRI in Chrome 45 and 46 which will break loading of scripts containing certain UTF-8 characters. You might want to hold off using SRI if you need to support these Chrome versions. (Unfortunately, Chrome 45 still holds a relatively high market share of around 5% at the time of this writing.)

Hot Module Replacement

Chunks loaded via Hot Module Replacement (HMR) are not currently protected. This shouldn't be a problem because HMR is usually used only in development mode where SRI is not normally needed.

Further Reading

License

Copyright (c) 2015, 2016 Waysact Pty Ltd

MIT (see LICENSE)

webpack-subresource-integrity's People

Contributors

bruno avatar jscheid avatar klathmon avatar spspwetter avatar timer avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.