-
Notifications
You must be signed in to change notification settings - Fork 124
Implement SRI support in importmap-rails #304
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
@@ -41,8 +41,60 @@ def pin_all_from(dir, under: nil, to: nil, preload: true) | |||
# resolve for different asset hosts, you can pass in a custom `cache_key` to vary the cache used by this method for | |||
# the different cases. | |||
def preloaded_module_paths(resolver:, entry_point: "application", cache_key: :preloaded_module_paths) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method can probably be deprecated now since the library isn't using anymore
b9343a9
to
107a95a
Compare
And add a new command to download and add integrity hashes for packages.
When `integrity: true` is used with `pin_all_from` or `pin`, the importmap will automatically calculate integrity hashes for local assets served by the Rails asset pipeline. This eliminates the need to manually manage integrity hashes for local files, enhancing security and simplifying development.
Hi @rafaelfranca! Is it necessary to include SRI in files that already belong to a gem? Even more, would it even be possible to check the integrity of the files when downloading them instead of leaving the integrity hash in the file? I say this because I think it's especially useful if you use a CDN to fetch the files on each request, but here the files are already downloaded and served by the same applicationn not a CDN on demand. So, what change in the CDN are we protecting ourselves from if the files are under our control now? Those lines look ugly now in the Importmap configuration. |
This pull request introduces Subresource Integrity (SRI) support to the importmap-rails gem, enhancing security by ensuring that JavaScript files loaded from CDNs have not been tampered with.
Default behavior with integrity
When you pin a package, integrity hashes are automatically included:
This generates a pin in your
config/importmap.rb
with the integrity hash:Opting out of integrity
If you need to disable integrity checking (not recommended for security reasons), you can use the
--no-integrity
flag:This generates a pin without integrity:
Adding integrity to existing pins
If you have existing pins without integrity hashes, you can add them using the
integrity
command:Automatic integrity for local assets
For local assets served by the Rails asset pipeline (like those created with
pin
orpin_all_from
), you can useintegrity: true
to automatically calculate integrity hashes from the compiled assets:This is particularly useful for:
pin_all_from
where calculating hashes manually would be tediousThe
integrity: true
option:nil
for non-existent files)Example output with
integrity: true
:How integrity works
The integrity hashes are automatically included in your import map and module preload tags:
Import map JSON:
Module preload tags:
Modern browsers will automatically validate these integrity hashes when loading the JavaScript modules, ensuring the files haven't been modified.
Closes #297.