ember-cli-sri
Advanced tools
This plugin is used to generate SRI integrity for ember applications. The reason to add this to your application is to protect against poisoned CDNs.
This is BETA, untested and MUST NOT be used for production systems.
ember install ember-cli-sriIn Brocfile.js or ember-cli-build.js:
var app = new EmberApp({
SRI: {
crossorigin: 'anonymous'
},
fingerprint: {
prepend: 'https://subdomain.cloudfront.net/'
}
});
Or:
var app = new EmberApp({
origin: 'https://subdomain.cloudfront.net/',
fingerprint: {
prepend: 'https://subdomain.cloudfront.net/'
}
});
Or:
var app = new EmberApp({
});
use-credentialsanonymous<script src="https://example.com/thing-5e1978f9cfa158d9841d7b6d8a4e5c57.js" integrity="sha256-oFeuE/P+XJMjkMS5pAPudQOMGJQ323nQt+DQ+9zbdAg= sha512-+EXjzt0I7g6BjvqqjkkboGyRlFSfIuyzY2SQ43HQKZBrHsjmRzEdjSHhiDzVs30nXL9H0tKw6WbMPc6RfzUumQ==" crossorigin="anonymous" /></script>
<script src="https://example.com/thing-5e1978f9cfa158d9841d7b6d8a4e5c57.js" crossorigin="use-credentials" integrity="sha256-oFeuE/P+XJMjkMS5pAPudQOMGJQ323nQt+DQ+9zbdAg= sha512-+EXjzt0I7g6BjvqqjkkboGyRlFSfIuyzY2SQ43HQKZBrHsjmRzEdjSHhiDzVs30nXL9H0tKw6WbMPc6RfzUumQ=="/></script>
<script src="unicode-chars.js" integrity="sha256-TH5eRuwfOSKZE0EKVF4WZ6gVQ/zUch4CZE2knqpS4MU= sha512-eANuTl8NOQEa4/zm44zxX6g7ffwf6NXftA2sv4ZiQURnJsfJkUnYP8XpN2XVVZee4SjB32i28WM6trs9HVgQmA=="/></script>
This addon should fail safely at all times so resources matching https? need:
fingerprint.prependSRI.crossorigin attribute must be setIf the config is not set correctly it should result in just a lack of SRI protection, which is better than a broken website.
Please file bugs if you find a case when the config doesn't 'fail safe', is not clear or results in a broken page.
If your Ember application is NOT being loaded on the same origin as in fingerprint.prefix:
fingerprint.prefix domain will need to be serving CORS HeadersIf your Ember application is being loaded on the same origin as in fingerprint.prefix:
In code that uses SRI, you MUST NOT tamper with the built output JavaScript files as code will not load.
When the request doesn't match Same Origin Policy the crossorigin attribute MUST be present for the integrity of the file to be checked. With an integrity set on an external origin and a missing crossorigin then the browser will choose to 'fail-open' which means it will load the resource as if the integrity attribute was not set.
Values:
No known formal objections to the specification
npm test0.2.3
FAQs
SRI generation for Ember CLI
The npm package ember-cli-sri receives a total of 79,315 weekly downloads. As such, ember-cli-sri popularity was classified as popular.
We found that ember-cli-sri demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.