webpack-subresource-integrity
Advanced tools
Comparing version 0.3.2 to 0.4.0
48
index.js
| var crypto = require('crypto'); | ||
| var path = require('path'); | ||
| var ReplaceSource = require('webpack-core/lib/ReplaceSource'); | ||
@@ -68,2 +69,3 @@ | ||
| SubresourceIntegrityPlugin.prototype.apply = function apply(compiler) { | ||
@@ -79,2 +81,4 @@ var algorithms = this.algorithms; | ||
| compiler.plugin('compilation', function compilationPlugin(compilation) { | ||
@@ -144,2 +148,46 @@ /* | ||
| }); | ||
| function getTagSrc(tag) { | ||
| // Get asset path - src from scripts and href from links | ||
| return tag.attributes.href || tag.attributes.src; | ||
| } | ||
| function filterTag(tag) { | ||
| // Process only script and link tags with a url | ||
| return (tag.tagName === 'script' || tag.tagName === 'link') && getTagSrc(tag); | ||
| } | ||
| function getIntegrityChecksumForAsset(src) { | ||
| var asset = compilation.assets[path.basename(src)]; | ||
| return asset && asset.integrity; | ||
| } | ||
| function processTag(tag) { | ||
| var checksum = getIntegrityChecksumForAsset(getTagSrc(tag)); | ||
| if (!checksum) { | ||
| compilation.errors.push(new Error( | ||
| "webpack-subresource-integrity: cannot determine hash for asset '" + | ||
| src + "', the resource will be unprotected.")); | ||
| return; | ||
| } | ||
| // Add integrity check sums | ||
| tag.attributes.integrity = checksum; | ||
| tag.attributes.crossorigin = 'anonymous'; | ||
| } | ||
| function supportHtmlWebpack(compilation, pluginArgs, callback) { | ||
| /* html-webpack-plugin has added an event so we can pre-process the html tags before they | ||
| inject them. This does the work. | ||
| */ | ||
| pluginArgs.head.filter(filterTag).forEach(processTag); | ||
| pluginArgs.body.filter(filterTag).forEach(processTag); | ||
| callback(null); | ||
| } | ||
| /* | ||
| * html-webpack support: | ||
| * Modify the asset tags before webpack injects them for anything with an integrity value. | ||
| */ | ||
| compilation.plugin('html-webpack-plugin-alter-asset-tags', supportHtmlWebpack.bind(this, compilation)); | ||
| }); | ||
@@ -146,0 +194,0 @@ }; |
| { | ||
| "name": "webpack-subresource-integrity", | ||
| "version": "0.3.2", | ||
| "version": "0.4.0", | ||
| "description": "Webpack plugin for ensuring subresource integrity", | ||
| "main": "index", | ||
| "scripts": { | ||
| "test": "karma start --single-run", | ||
| "test": "karma start --single-run && mocha test/test-webpack.js", | ||
| "lint": "eslint ." | ||
@@ -19,3 +19,4 @@ }, | ||
| "subresource", | ||
| "integrity" | ||
| "integrity", | ||
| "html-webpack-plugin" | ||
| ], | ||
@@ -32,14 +33,21 @@ "author": "Julian Scheid <julian@waysact.com>", | ||
| "devDependencies": { | ||
| "babel-eslint": "^4.1.6", | ||
| "eslint": "^1.10.3", | ||
| "eslint-config-airbnb-es5": "^1.0.8", | ||
| "eslint-plugin-react": "^3.12.0", | ||
| "babel-eslint": "^6.0.4", | ||
| "css-loader": "^0.23.1", | ||
| "eslint": "^2.12.0", | ||
| "eslint-config-airbnb-es5": "^1.0.9", | ||
| "eslint-plugin-react": "^5.1.1", | ||
| "expect": "^1.13.4", | ||
| "extract-text-webpack-plugin": "^1.0.1", | ||
| "file-loader": "^0.8.5", | ||
| "html-webpack-plugin": "2.21.0", | ||
| "htmlparser": "^1.7.7", | ||
| "karma": "^0.13.15", | ||
| "karma-chrome-launcher": "^0.2.2", | ||
| "karma-firefox-launcher": "^0.1.7", | ||
| "karma-mocha": "^0.2.1", | ||
| "karma-chrome-launcher": "^1.0.1", | ||
| "karma-firefox-launcher": "^1.0.0", | ||
| "karma-mocha": "^1.0.1", | ||
| "karma-webpack": "^1.7.0", | ||
| "mocha": "^2.3.4", | ||
| "soupselect": "^0.2.0", | ||
| "style-loader": "^0.13.1", | ||
| "tmp": "0.0.28", | ||
| "webpack": "^1.12.11" | ||
@@ -46,0 +54,0 @@ }, |
@@ -16,2 +16,3 @@ # webpack-subresource-integrity | ||
| ## Usage | ||
@@ -48,2 +49,25 @@ | ||
| #### integrity for html-webpack-plugin users | ||
| The plugin installs a hook for 'html-webpack-plugin' that does this for | ||
| you automatically if you're using injection. (This requires version 2.21.0 or greater.) | ||
| If you're using a template with 'html-webpack-plugin' | ||
| you need to generate the integrity and crossorigin attributes using something like this: | ||
| <% for (var chunk in htmlWebpackPlugin.files.chunks) { %> | ||
| <script src="<%= htmlWebpackPlugin.files.chunks[chunk].entry %>" | ||
| <% var basename = path.basename(htmlWebpackPlugin.files.chunks[chunk].entry); | ||
| if (compilation.assets[basename] && | ||
| compilation.assets[basename].integrity) {%> | ||
| integrity = "<%= compilation.assets[basename].integrity %>" | ||
| crossorigin="anonymous" | ||
| <% } %> | ||
| ></script> | ||
| <% } %> | ||
| The above assumes that you have path.basename() available from your template. | ||
| ## Caveats | ||
@@ -61,2 +85,5 @@ | ||
| Pull requests are welcome. Please run `npm test` and `npm run lint` on | ||
| your branch before submitting it. | ||
| You are also welcome to correct any spelling mistakes or any language issues. | ||
@@ -63,0 +90,0 @@ |
Sorry, the diff of this file is not supported yet
No alert changes
Improved metrics
- Total package byte prevSize
- increased by31.48%
12141
- Lines of code
- increased by30.65%
162
- Number of lines in readme file
- increased by40.91%
93
Worsened metrics
- Dev dependency count
- increased by53.85%
20
No dependency changes