Skip to content

Implement SRI support in importmap-rails #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 22, 2025
Merged

Implement SRI support in importmap-rails #304

merged 6 commits into from
Jul 22, 2025
+940 −121

Conversation

rafaelfranca
Copy link
Member

@rafaelfranca rafaelfranca commented Jul 9, 2025
edited
Loading

This pull request introduces Subresource Integrity (SRI) support to the importmap-rails gem, enhancing security by ensuring that JavaScript files loaded from CDNs have not been tampered with.

Default behavior with integrity

When you pin a package, integrity hashes are automatically included:

./bin/importmap pin lodash
Pinning "lodash" to vendor/javascript/lodash.js via download from https://ga.jspm.io/npm:[email protected]/lodash.js
  Using integrity: sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF

This generates a pin in your config/importmap.rb with the integrity hash:

pin "lodash", integrity: "sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF" # @4.17.21

Opting out of integrity

If you need to disable integrity checking (not recommended for security reasons), you can use the --no-integrity flag:

./bin/importmap pin lodash --no-integrity
Pinning "lodash" to vendor/javascript/lodash.js via download from https://ga.jspm.io/npm:[email protected]/lodash.js

This generates a pin without integrity:

pin "lodash" # @4.17.21

Adding integrity to existing pins

If you have existing pins without integrity hashes, you can add them using the integrity command:

# Add integrity to specific packages
./bin/importmap integrity lodash react

# Add integrity to all pinned packages
./bin/importmap integrity

# Update your importmap.rb file with integrity hashes
./bin/importmap integrity --update

Automatic integrity for local assets

For local assets served by the Rails asset pipeline (like those created with pin or pin_all_from), you can use integrity: true to automatically calculate integrity hashes from the compiled assets:

# config/importmap.rb

# Automatically calculate integrity from asset pipeline
pin "application", integrity: true
pin "admin", to: "admin.js", integrity: true

# Works with pin_all_from too
pin_all_from "app/javascript/controllers", under: "controllers", integrity: true
pin_all_from "app/javascript/lib", under: "lib", integrity: true

# Mixed usage
pin "local_module", integrity: true              # Auto-calculated
pin "cdn_package", integrity: "sha384-abc123..." # Pre-calculated
pin "no_integrity_package"                       # No integrity (default)

This is particularly useful for:

  • Local JavaScript files managed by your Rails asset pipeline
  • Bulk operations with pin_all_from where calculating hashes manually would be tedious
  • Development workflow where asset contents change frequently

The integrity: true option:

  • Uses the Rails asset pipeline's built-in integrity calculation
  • Works with both Sprockets and Propshaft
  • Automatically updates when assets are recompiled
  • Gracefully handles missing assets (returns nil for non-existent files)

Example output with integrity: true:

{
  "imports": {
    "application": "/assets/application-abc123.js",
    "controllers/hello_controller": "/assets/controllers/hello_controller-def456.js"
  },
  "integrity": {
    "/assets/application-abc123.js": "sha256-xyz789...",
    "/assets/controllers/hello_controller-def456.js": "sha256-uvw012..."
  }
}

How integrity works

The integrity hashes are automatically included in your import map and module preload tags:

Import map JSON:

{
  "imports": {
    "lodash": "https://ga.jspm.io/npm:[email protected]/lodash.js"
  },
  "integrity": {
    "https://ga.jspm.io/npm:[email protected]/lodash.js": "sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF"
  }
}

Module preload tags:

<link rel="modulepreload" href="https://ga.jspm.io/npm:[email protected]/lodash.js" integrity="sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF">

Modern browsers will automatically validate these integrity hashes when loading the JavaScript modules, ensuring the files haven't been modified.

Closes #297.

rafaelfranca
rafaelfranca commented Jul 9, 2025
View reviewed changes
lib/importmap/map.rb
@@ -41,8 +41,60 @@ def pin_all_from(dir, under: nil, to: nil, preload: true)
# resolve for different asset hosts, you can pass in a custom `cache_key` to vary the cache used by this method for
# the different cases.
def preloaded_module_paths(resolver:, entry_point: "application", cache_key: :preloaded_module_paths)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method can probably be deprecated now since the library isn't using anymore

@rafaelfranca rafaelfranca force-pushed the rm=sri branch 2 times, most recently from b9343a9 to 107a95a Compare July 15, 2025 17:20
@rafaelfranca rafaelfranca marked this pull request as ready for review July 15, 2025 17:22
@rafaelfranca rafaelfranca changed the title Implement SRI support in impotmaps-rails Implement SRI support in importmap-rails Jul 15, 2025
@rafaelfranca
Support calculating integrity hashes for local assets automatically
1aecf66 
When `integrity: true` is used with `pin_all_from` or `pin`, the
importmap will automatically calculate integrity hashes for local assets
served by the Rails asset pipeline. This eliminates the need to manually
manage integrity hashes for local files, enhancing security and
simplifying development.
@rafaelfranca rafaelfranca merged commit 03acd4c into main Jul 22, 2025
68 checks passed
@brunoprietog
Copy link

Hi @rafaelfranca!

Is it necessary to include SRI in files that already belong to a gem?

Even more, would it even be possible to check the integrity of the files when downloading them instead of leaving the integrity hash in the file?

I say this because I think it's especially useful if you use a CDN to fetch the files on each request, but here the files are already downloaded and served by the same applicationn not a CDN on demand.

So, what change in the CDN are we protecting ourselves from if the files are under our control now?

Those lines look ugly now in the Importmap configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SRI (Subresource Integrity) Support
2 participants
@rafaelfranca @brunoprietog