@StotoV you've said you've found internet.nl's repository.

Could we add the repo link here for posterity? We could also add it (and a link to Mozilla Observatory) under a section in the README.md;, e.g.: Related Projects.

Thank you.

See https://github.com/duckduckgo/tracker-radar-collector/blob/c44275829ec55e4a5f4e3bbedc7959171823097b/crawler.js#L28

This function will output all relevant properties of a collected tag

How to reproduce:
mkdir -p ./output
echo 'https://www.huizen.nl/' >> ./output/targetList.txt
npm start -- list -i './output/targetlist.txt' -o './output'

We get the following error:

2022-01-20T10:11:18.145Z [verbose]: [Scraper][0] getting SRITag data failed

Where interacting with the CDP session fails the collection

• Add tool to check coverage
• Integrate tool in CI/CD
• Add badge to README

Puppeteer networkidle2 for instance. Also include test for this.

For bringing the tests closer to reality

https://w3c-test.org/subresource-integrity/subresource-integrity.html

This also relates to #20 and could be combined

Section on using it via the CLI and a section on using it as a module

They are dynamically inserted

Only logs that relate to SRI

I agree with the comment here that we should possibly comment out this line:

On my system, the crawler works only if I comment out the line, because there's no chromium instance on /usr/bin/chromium (it's under one of the snap folders). Thus, I get the following:

2022-01-20T11:37:13.534Z [error]: [Scraper][0] https://www.huizen.nl/ Error: Failed to launch the browser process! spawn /usr/bin/chromium ENOENT

I comment the line, and everything works well.

I believe puppeteer node package already installs a Chromium instance that it then uses under the hood.

• Install JS linter
• Integrate linter with CI/CD
• Add linter badge to README

When a hash does not match there is the option for a fallover. Check if this is implemented.

Some progress bars would be nice for longer runs. This code should not clutter the module itself however, as it can also be used as non-cli application.

Scripts may dynamically inject iframes, which may contain script tags that may fail the SRI check. The main advantage of using a JS-enabled browser such as Puppeteer (over e.g., a requests-based solution) is the ability to validate such dynamically added iframes/script tags.

Let's make sure to add a test case to demonstrate this difference.

We'd just need to inject an iframe containing some third-party script tags.
https://stackoverflow.com/a/3069972

We may have tests for the following; (just to give ideas, not concrete suggestions):
should_fail_for_dynamically_added_scripts_without_sri_attrs
should_fail_for_dynamically_added_scripts_with_invalid_sri_attrs
should_pass_for_dynamically_added_scripts_with_valid_sri_attrs

Compute the hashes of the resource and compare with the given hash.

Received a ReferenceError for btoa. Maybe it's because of my node version:

Perhaps we can change it with: let filename = Buffer.from(target).toString('base64');

We could also consider including the hostname of the target so the files are more human readable, but that's an optional feature.
Here's how Tracker Radar Collector name files:

• https://github.com/duckduckgo/tracker-radar-collector/blob/98573103f11eb0a830e93a26bab77dd2a040339c/helpers/hash.js#L7
• https://github.com/duckduckgo/tracker-radar-collector/blob/98573103f11eb0a830e93a26bab77dd2a040339c/cli/crawl-cli.js#L76

Test for #26

By locally hosting the test scripts so they do not depend on the state of W3C or the internet connection.

SRI over HTTP is a bad idea.

Check if this matches the request header.