GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → waysact → Webpack Subresource Integrity

waysact / Webpack Subresource Integrity

Licence: mit
Webpack plugin for enabling Subresource Integrity.

Programming Languages

javascript
184084 projects - #8 most used programming language

Labels

webpack

Projects that are alternatives of or similar to Webpack Subresource Integrity

Ssr Sample
A minimum sample of Server-Side-Rendering, Single-Page-Application and Progressive Web App
Stars: ✭ 285 (-3.06%)
Mutual labels:  webpack
React Music Player
Music player build with React, learn how to use React
Stars: ✭ 288 (-2.04%)
Mutual labels:  webpack
React Pwa Guide App
React.js for Progressive Web Apps that say Hello! World
Stars: ✭ 293 (-0.34%)
Mutual labels:  webpack
React Loadable
⏳ A higher order component for loading components with promises.
Stars: ✭ 16,238 (+5423.13%)
Mutual labels:  webpack
Kickoff tailwind
A rapid Rails 6 application template for personal use bundled with Tailwind CSS
Stars: ✭ 287 (-2.38%)
Mutual labels:  webpack
Webpack Vue Multiplepage
在多页面项目下使用 Webpack + Vue
Stars: ✭ 288 (-2.04%)
Mutual labels:  webpack
Bruce Cli
A React/Vue application automation build scaffold with zero configuration out of the box
Stars: ✭ 283 (-3.74%)
Mutual labels:  webpack
Fullstack Typescript
FAST FullStack React with TypeScript starter kit.
Stars: ✭ 295 (+0.34%)
Mutual labels:  webpack
Space Snake
A Desktop game built with Electron and Vue.js.
Stars: ✭ 289 (-1.7%)
Mutual labels:  webpack
React Redux Sass Starter
Everything you need to get started with a basic React application
Stars: ✭ 293 (-0.34%)
Mutual labels:  webpack
Ice
🚀 The Progressive App Framework Based On React(基于 React 的渐进式应用框架)
Stars: ✭ 16,961 (+5669.05%)
Mutual labels:  webpack
Webpack Virtual Modules
Webpack Virtual Modules is a webpack plugin that lets you create, modify, and delete in-memory files in a way that webpack treats them as if they were physically presented in the file system.
Stars: ✭ 286 (-2.72%)
Mutual labels:  webpack
Vue Cli Plugin Electron Builder
Easily Build Your Vue.js App For Desktop With Electron
Stars: ✭ 3,549 (+1107.14%)
Mutual labels:  webpack
Webpack Blocks
📦 Configure webpack using functional feature blocks.
Stars: ✭ 2,992 (+917.69%)
Mutual labels:  webpack
Webpack Libs Optimizations
Using a library in your webpack project? Here’s how to optimize it
Stars: ✭ 3,187 (+984.01%)
Mutual labels:  webpack
Myblog
vue + node 实现的一个博客系统
Stars: ✭ 285 (-3.06%)
Mutual labels:  webpack
Blog
Front-end tech thoughts and share-ppt
Stars: ✭ 288 (-2.04%)
Mutual labels:  webpack
Hyper React
The project has moved to Hyperstack!!
Stars: ✭ 295 (+0.34%)
Mutual labels:  webpack
Isomorphic Webpack
Abstracts universal consumption of application code base using webpack.
Stars: ✭ 294 (+0%)
Mutual labels:  webpack
Pro Mern Stack
Code Listing for the book Pro MERN Stack
Stars: ✭ 290 (-1.36%)
Mutual labels:  webpack
View All Similar Projects ➔

webpack-subresource-integrity

npm version Travis Build Status Appveyor Build Status Coverage Status Code Climate GitHub license

Webpack plugin for enabling Subresource Integrity.

Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation.

Features

  • Optional integration with html-webpack-plugin.
  • Automatic support for dynamic imports (also known as code splitting.)
  • Compatible with all major Webpack versions, up to and including Webpack 5.

Installation

npm install webpack-subresource-integrity --save-dev

yarn add --dev webpack-subresource-integrity

Webpack Configuration Example

import SriPlugin from 'webpack-subresource-integrity';

const compiler = webpack({
    output: {
        crossOriginLoading: 'anonymous',
    },
    plugins: [
        new SriPlugin({
            hashFuncNames: ['sha256', 'sha384'],
            enabled: process.env.NODE_ENV === 'production',
        }),
    ],
});

Setting the integrity attribute for top-level assets

For the plugin to take effect it is essential that you set the integrity attribute for top-level assets (i.e. assets loaded by your HTML pages.)

With HtmlWebpackPlugin

When html-webpack-plugin is injecting assets into the template (the default), the integrity attribute will be set automatically. The crossorigin attribute will be set as well, to the value of output.crossOriginLoading webpack option. There is nothing else to be done.

With HtmlWebpackPlugin({ inject: false })

When you use html-webpack-plugin with inject: false, you are required to set the integrity and crossorigin attributes in your template as follows:

<% for (var index in htmlWebpackPlugin.files.js) { %>
  <script
     src="<%= htmlWebpackPlugin.files.js[index] %>"
     integrity="<%= htmlWebpackPlugin.files.jsIntegrity[index] %>"
     crossorigin="<%= webpackConfig.output.crossOriginLoading %>"
  ></script>
<% } %>

<% for (var index in htmlWebpackPlugin.files.css) { %>
  <link
     rel="stylesheet"
     href="<%= htmlWebpackPlugin.files.css[index] %>"
     integrity="<%= htmlWebpackPlugin.files.cssIntegrity[index] %>"
     crossorigin="<%= webpackConfig.output.crossOriginLoading %>"
  />
<% } %>

Without HtmlWebpackPlugin

The correct value for the integrity attribute can be retrieved from the integrity property of Webpack assets.

Note that with Webpack versions before 5, that property is not copied over by Webpack's stats module so you'll have to access the "original" asset on the compilation object. For example:

compiler.plugin("done", stats => {
    const mainAssetName = stats.toJson().assetsByChunkName.main;
    const integrity = stats.compilation.assets[mainAssetName].integrity;
});

Note that you're also required to set the crossorigin attribute. It is recommended to set this attribute to the same value as the webpack output.crossOriginLoading configuration option.

Web Server Configuration

If your page can be loaded through plain HTTP (as opposed to HTTPS), you must set the Cache-Control: no-transform response header or your page will break when assets are loaded through a transforming proxy. See below for more information.

Content Security Policy

Consider adding the following rule to your CSP file:

Content-Security-Policy: require-sri-for script style;

It ensures that if, for some reason, this plugin fails to add integrity attributes to all your assets, your page will fail to load rather than load with unverified assets.

require-sri-for has never officially shipped in Chrome or Firefox, and both appear to be leaning towards removing their implementations.

Options

hashFuncNames

Required option, no default value.

An array of strings, each specifying the name of a hash function to be used for calculating integrity hash values. For example, ['sha256', 'sha512'].

See SRI: Cryptographic hash functions

enabled

Default value: true

When this value is falsy, the plugin doesn't run and no integrity values are calculated. It is recommended to disable the plugin in development mode.

Exporting integrity values

You might want to export generated integrity hashes, perhaps for use with SSR. We recommend webpack-assets-manifest for this purpose. When configured with option integrity: true it will include the hashes generated by this plugin in the manifest (requires webpack-assets-manifest version >= 3 which in turn requires Webpack >= 4).

Example usage with webpack-assets-manifest.

Caveats

Preloading

This plugin adds the integrity attribute to <link rel="preload"> tags, but preloading with SRI doesn't work as expected in current Chrome versions. The resource will be loaded twice, defeating the purpose of preloading. This problem doesn't appear to exist in Firefox or Safari. See issue #111 for more information.

Proxies

By its very nature, SRI can cause your page to break when assets are modified by a proxy. This is because SRI doesn't distinguish between malicious and benevolent modifications: any modification will prevent an asset from being loaded.

Notably, this issue can arise when your page is loaded through Chrome Data Saver.

This is only a problem when your page can be loaded with plain HTTP, since proxies are incapable of modifying encrypted HTTPS responses.

Presumably, you're looking to use SRI because you're concerned about security and thus your page is only served through HTTPS anyway. However, if you really need to use SRI and HTTP together, you should set the Cache-Control: no-transform response header. This will instruct all well-behaved proxies (including Chrome Data Saver) to refrain from modifying the assets.

Browser support

Browser support for SRI is widely implemented. Your page will still work on browsers without support for SRI, but subresources won't be protected from tampering.

See Can I use Subresource Integrity?

Hot Reloading

This plugin can interfere with hot reloading and therefore should be disabled when using tools such as webpack-dev-server. This shouldn't be a problem because hot reloading is usually used only in development mode where SRI is not normally needed.

For testing SRI without setting up a full-blown web server, consider using a tool such as http-server.

Safari and Assets that Require Cookies

As detailed in Webpack Issue #6972, the crossOrigin attribute can break loading of assets in certain edge cases due to a bug in Safari. Since SRI requires the crossOrigin attribute to be set, you may run into this case even when source URL is same-origin with respect to the asset.

Further Reading

License

Copyright (c) 2015-present Waysact Pty Ltd

MIT (see LICENSE)

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].