Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt a portion of SRI for our implementation #1826

Merged
merged 1 commit into from Jul 21, 2021
Merged

Adopt a portion of SRI for our implementation #1826

merged 1 commit into from Jul 21, 2021

Conversation

Martii
Copy link
Member

@Martii Martii commented Jul 21, 2021
edited

  • This was already implemented pre W3C recommendation in our form but normalizing to their syntax.
  • UI (minus the tooltip) and DB remaining non-base64 encoded... semver limitation with extra characters that violate that spec as well as line numbers.
  • Change caching mechanism... unfortunately traffic for a while will be increased while syncing with browsers. Also because spec doesn't use hex, which it probably should, the eTag header value will be bigger. Hashes, so far, are always "hex-able" by design of SHA but that could change in the future... who knows.
  • Base62 being dropped in favor of Base64 for cache mechanism. Should be okay with extra +/ in base64 since that falls within ASCII limitations.
  • Any .user.js utilizing the .meta.json, or other language, will need to modify to check for the sha512- prefix and decode the value appropriately.
  • If .meta.json shows empty hash clear browser cache (weird Fx issue perhaps)
  • Bugfix on local copy of metadata script access... non-fatal atm just incorrect live copy referenced.

Post #1076 and applies to #432 #249

Ref(s):

@Martii
Adopt a portion of SRI for our implementation
ec6529d 
* This was already implemented pre W3C recommendation in our form but normalizing to their syntax.
* UI and DB remaining non-base64 encoded... semver limitation with extra characters that violate that spec.
* Change caching mechanism... unfortunately traffic for a while will be increased while syncing with browsers. Also because spec doesn't use hex, which it probably should, the eTag header value will be bigger. Hashes, so far, are always "hex-able" by design of SHA but that could change in the future... who knows.
* Base62 being dropped in favor of Base64 for cache mechanism. Should be okay with extra `+/` in base64 since that falls within ASCII limitations.
* Any .user.js utilizing the .meta.json, or other language, will need to modify to check for the `sha512-` prefix and decode the value appropriately.
* If .meta.json shows empty `hash` clear browser cache *(weird Fx issue perhaps)*
* Bugfix on local copy of metadata script access... non-fatal atm just incorrect live copy referenced.

Post OpenUserJS#1076 and applies to OpenUserJS#432 OpenUserJS#249

Ref(s):
* https://developer.mozilla.org/docs/Web/HTTP/Headers/ETag
* https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity
* https://w3c.github.io/webappsec-subresource-integrity/
* https://www.srihash.org/
@Martii Martii added bug You've guessed it... this means a bug is reported. enhancement Something we do have implemented already but needs improvement upon to the best of knowledge. UI Pertains inclusively to the User Interface. CODE Some other Code related issue and it should clearly describe what it is affecting in a comment. labels Jul 21, 2021
@Martii Martii merged commit dfddc4c into OpenUserJS:master Jul 21, 2021
@Martii Martii deleted the Issue-259friendlierSRItooltipAndMeta branch July 21, 2021 02:36
@Martii Martii added the needs mitigation Needs additional followup. label Jul 21, 2021
Martii added a commit to Martii/OpenUserJS.org that referenced this pull request Jul 21, 2021
@Martii
Post fix for incorrect type
93aaf4d 
* We already have the hex and default for Buffer is `utf`... so coerce it to `hex`
* Open up script sending to this methodology. Minification output support may come later but if one relies on the hash and something changes in the backend it can easily foo script installation. Will have to ponder some more.

Post OpenUserJS#1826
@Martii Martii mentioned this pull request Jul 21, 2021
Merged
Martii added a commit that referenced this pull request Jul 21, 2021
@Martii
Post fix for incorrect type (#1827)
715c10b 
* We already have the hex string and default for Buffer is `utf`... so coerce it to `hex` which makes it "binary"
* Open up script sending to this methodology. Minification output support may come later but if one relies on the hash and something changes in the backend it can easily foo script installation. Will have to ponder some more.

Post #1826

Auto-merge
@Martii Martii removed the needs mitigation Needs additional followup. label Jul 21, 2021
Martii added a commit to Martii/OpenUserJS.org that referenced this pull request Jul 21, 2021
@Martii
Fix eTag as well
7f67c2f 
* Use the "binary" form instead of the string form.

Post OpenUserJS#1826
@Martii Martii mentioned this pull request Jul 21, 2021
Merged
Martii added a commit that referenced this pull request Jul 21, 2021
@Martii
Fix eTag as well (#1828)
cab7e47 
* Use the "binary" form instead of the string form.

Post #1826

Auto-merge
Martii added a commit to Martii/OpenUserJS.org that referenced this pull request Jul 23, 2021
@Martii
Limit browser checks to libs only for CORS via @require
287822f 
* Enough testing on main .user.js... seems solid.

Post OpenUserJS#1826
@Martii Martii mentioned this pull request Jul 23, 2021
Merged
Martii added a commit that referenced this pull request Jul 23, 2021
@Martii
Limit browser checks to libs only for CORS via @require (#1829)
dc662c1 
* Enough testing on main .user.js... seems solid.

Post #1826

Auto-merge
Martii added a commit to Martii/OpenUserJS.org that referenced this pull request Jul 8, 2022
@Martii
Improve granularity of a portion of HTTP 1.1 caching
79fa8ca 
Post OpenUserJS#1076 OpenUserJS#1826 and applies to OpenUserJS#432 OpenUserJS#249

NOTE:
* This increases the server load for more frequent accuracy
@Martii Martii mentioned this pull request Jul 8, 2022
Merged
Martii added a commit that referenced this pull request Jul 8, 2022
@Martii
Improve granularity of a portion of HTTP 1.1 caching (#1967)
e2da894 
Post #1076 #1826 and applies to #432 #249

NOTE:
* This increases the server load for more frequent accuracy

Auto-merge
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
bug You've guessed it... this means a bug is reported. CODE Some other Code related issue and it should clearly describe what it is affecting in a comment. enhancement Something we do have implemented already but needs improvement upon to the best of knowledge. UI Pertains inclusively to the User Interface.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@Martii