webpack-subresource-integrity
Advanced tools
Comparing version 0.3.2 to 0.4.0
48
index.js
var crypto = require('crypto'); | ||
var path = require('path'); | ||
var ReplaceSource = require('webpack-core/lib/ReplaceSource'); | ||
@@ -68,2 +69,3 @@ | ||
SubresourceIntegrityPlugin.prototype.apply = function apply(compiler) { | ||
@@ -79,2 +81,4 @@ var algorithms = this.algorithms; | ||
compiler.plugin('compilation', function compilationPlugin(compilation) { | ||
@@ -144,2 +148,46 @@ /* | ||
}); | ||
function getTagSrc(tag) { | ||
// Get asset path - src from scripts and href from links | ||
return tag.attributes.href || tag.attributes.src; | ||
} | ||
function filterTag(tag) { | ||
// Process only script and link tags with a url | ||
return (tag.tagName === 'script' || tag.tagName === 'link') && getTagSrc(tag); | ||
} | ||
function getIntegrityChecksumForAsset(src) { | ||
var asset = compilation.assets[path.basename(src)]; | ||
return asset && asset.integrity; | ||
} | ||
function processTag(tag) { | ||
var checksum = getIntegrityChecksumForAsset(getTagSrc(tag)); | ||
if (!checksum) { | ||
compilation.errors.push(new Error( | ||
"webpack-subresource-integrity: cannot determine hash for asset '" + | ||
src + "', the resource will be unprotected.")); | ||
return; | ||
} | ||
// Add integrity check sums | ||
tag.attributes.integrity = checksum; | ||
tag.attributes.crossorigin = 'anonymous'; | ||
} | ||
function supportHtmlWebpack(compilation, pluginArgs, callback) { | ||
/* html-webpack-plugin has added an event so we can pre-process the html tags before they | ||
inject them. This does the work. | ||
*/ | ||
pluginArgs.head.filter(filterTag).forEach(processTag); | ||
pluginArgs.body.filter(filterTag).forEach(processTag); | ||
callback(null); | ||
} | ||
/* | ||
* html-webpack support: | ||
* Modify the asset tags before webpack injects them for anything with an integrity value. | ||
*/ | ||
compilation.plugin('html-webpack-plugin-alter-asset-tags', supportHtmlWebpack.bind(this, compilation)); | ||
}); | ||
@@ -146,0 +194,0 @@ }; |
{ | ||
"name": "webpack-subresource-integrity", | ||
"version": "0.3.2", | ||
"version": "0.4.0", | ||
"description": "Webpack plugin for ensuring subresource integrity", | ||
"main": "index", | ||
"scripts": { | ||
"test": "karma start --single-run", | ||
"test": "karma start --single-run && mocha test/test-webpack.js", | ||
"lint": "eslint ." | ||
@@ -19,3 +19,4 @@ }, | ||
"subresource", | ||
"integrity" | ||
"integrity", | ||
"html-webpack-plugin" | ||
], | ||
@@ -32,14 +33,21 @@ "author": "Julian Scheid <julian@waysact.com>", | ||
"devDependencies": { | ||
"babel-eslint": "^4.1.6", | ||
"eslint": "^1.10.3", | ||
"eslint-config-airbnb-es5": "^1.0.8", | ||
"eslint-plugin-react": "^3.12.0", | ||
"babel-eslint": "^6.0.4", | ||
"css-loader": "^0.23.1", | ||
"eslint": "^2.12.0", | ||
"eslint-config-airbnb-es5": "^1.0.9", | ||
"eslint-plugin-react": "^5.1.1", | ||
"expect": "^1.13.4", | ||
"extract-text-webpack-plugin": "^1.0.1", | ||
"file-loader": "^0.8.5", | ||
"html-webpack-plugin": "2.21.0", | ||
"htmlparser": "^1.7.7", | ||
"karma": "^0.13.15", | ||
"karma-chrome-launcher": "^0.2.2", | ||
"karma-firefox-launcher": "^0.1.7", | ||
"karma-mocha": "^0.2.1", | ||
"karma-chrome-launcher": "^1.0.1", | ||
"karma-firefox-launcher": "^1.0.0", | ||
"karma-mocha": "^1.0.1", | ||
"karma-webpack": "^1.7.0", | ||
"mocha": "^2.3.4", | ||
"soupselect": "^0.2.0", | ||
"style-loader": "^0.13.1", | ||
"tmp": "0.0.28", | ||
"webpack": "^1.12.11" | ||
@@ -46,0 +54,0 @@ }, |
@@ -16,2 +16,3 @@ # webpack-subresource-integrity | ||
## Usage | ||
@@ -48,2 +49,25 @@ | ||
#### integrity for html-webpack-plugin users | ||
The plugin installs a hook for 'html-webpack-plugin' that does this for | ||
you automatically if you're using injection. (This requires version 2.21.0 or greater.) | ||
If you're using a template with 'html-webpack-plugin' | ||
you need to generate the integrity and crossorigin attributes using something like this: | ||
<% for (var chunk in htmlWebpackPlugin.files.chunks) { %> | ||
<script src="<%= htmlWebpackPlugin.files.chunks[chunk].entry %>" | ||
<% var basename = path.basename(htmlWebpackPlugin.files.chunks[chunk].entry); | ||
if (compilation.assets[basename] && | ||
compilation.assets[basename].integrity) {%> | ||
integrity = "<%= compilation.assets[basename].integrity %>" | ||
crossorigin="anonymous" | ||
<% } %> | ||
></script> | ||
<% } %> | ||
The above assumes that you have path.basename() available from your template. | ||
## Caveats | ||
@@ -61,2 +85,5 @@ | ||
Pull requests are welcome. Please run `npm test` and `npm run lint` on | ||
your branch before submitting it. | ||
You are also welcome to correct any spelling mistakes or any language issues. | ||
@@ -63,0 +90,0 @@ |
Sorry, the diff of this file is not supported yet
12141
162
93
20