-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tweak request to make integration with webpack-subresource-integrity easy #330
Comments
Well as |
Take a look at the |
Ok, I'm willing to do that work, but you have to understand that I didn't understand what you said having only started working with webpack a month ago in an effort to migrate a Makefile+cat build to something more reasonable. Could you spell out step by step a bit more what you think I should do? |
I started down the path of what I thought you were asking me to do, but it was a 1-line change to the plugin to squirrel away the base name of the file when building the chunk hash, and I couldn't figure out how to debug a plugin very effectively never having written a webpack plugin before, though the README.md on this project was a good start. So I submitted the above pull request instead. With this pull request, adding integrity checks or anything that can be read from compilation.assets is just:
In short: You should accept the above pull request because:
|
Why don't you use a hook? Like https://github.com/jantimon/favicons-webpack-plugin/blob/master/index.js#L57-L62 |
Then someone needs 3 plugins+template to implement SRI:
I figured having the base name available was a generally useful enhancement that would enable people to do whatever they needed in a template by writing a plugin to enhance the compilation object, where they could pick it up later. If you want it to work with injection, I could also modify the injection to see if the integrity value is present for an asset and modify the injection tag there. Then no template is necessary. That would be nice because then SRI only requires #1 and #2 above, if you want SRI, you calculate it. |
Some reasons why this is not my preferred way to solve this:
With your solution it would take a I would propose to add a hook to the SRI plugin then we could have a configuration like this to get it working: plugins: [
new WebpackHtmlPlugin(),
new SriPlugin(['sha256', 'sha384']),
] What do you think? |
Simpler would definitely be better, it would be best to just have two plugins, but I wasn't sure how to mutate the <script> tags after they'd already been injected. In the sample you sent me, you're doing a search/replace on the <head tag, but that seems kind of hacky and error prone to me. It would have to find the already added script tags, parse them to get the path, look them up in the compilation object, then write out the integrity attribute. Ick. If you can give me more of a hint on a way to change the script tags more elegantly, I can look into adding a hook to the SRI plugin instead. Thinking about it, a cleaner way would be to allow hooks to add additional attributes prior to injection to assets.js and assets.css in assets.attributes[]. The injection code could then loop over any any additional attributes and inject them. It would be slightly more complexity on line 454 and 459 of index.js but not too bad.
Do you like that? |
Oh I like that idea - checkout #345 |
Oh, great! I'll work on the SRI plugin hook on the assumption this will go in. Much cleaner than my idea in the details. |
Cool please let me know if it doesn't work properly |
SRI Plugin mods built, see PR: waysact/webpack-subresource-integrity#5 |
Integrated in webpack-subresource-integrity 0.4.0 |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I got sub resource integrity checking working using this slightly hacky code:
waysact/webpack-subresource-integrity#3
The hacky part is that I hard coded my file name template (chunk.[name].bundle.js] in order to build the key for compilation.assets. If
htmlWebpackPlugin.files.chunks[chunk].assetKey
had the asset key, that would make it less hacky. Or maybe i'm doing it wrong.The text was updated successfully, but these errors were encountered: