-
Notifications
You must be signed in to change notification settings - Fork 15
Adding support for rootURL option #30
base: master
Are you sure you want to change the base?
Conversation
Hey! It's been a while since I have touched Ember however this article suggests that the rootURL is where the assets of the applications live for dev and live, is this not the case? From a quick glance it doesn't look like you are catering for the CDN code path: https://github.com/jasonmit/broccoli-sri-hash/blob/dec523b00597643e23b027a74fcfdbf784f49f96/index.js#L228 (the non external code path is actually just to teach Ember developers about SRI whilst in development) Could you give me some sample output before the SRI code is applied and after? |
Since there are many possibilities that (rootURL, fingerprint prefix, fingerprint prefix + rootURL), perhaps we expose a method that extends the responsibility of determining what the prefix is to the consuming app. By default, it will remain SRI: {
// scenario where all three possibilities can be handled
prefix(hrefSrc) {
const rootURL = '/home';
const cdn = 'https://site.com';
if (hrefSrc.startsWith(cdn)) {
if (hrefSrc.substr(0, cdn.length).startsWith(rootURL)) {
return cdn + rootURL;
}
return cdn;
}
return rootURL;
}
}
<!-- before -->
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>SriExampleApp</title>
<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
{{content-for "head"}}
<link rel="stylesheet" href="{{rootURL}}assets/vendor.css">
<link rel="stylesheet" href="{{rootURL}}assets/sri-example-app.css">
{{content-for "head-footer"}}
</head>
<body>
{{content-for "body"}}
<script src="{{rootURL}}assets/vendor.js"></script>
<script src="{{rootURL}}assets/sri-example-app.js"></script>
{{content-for "body-footer"}}
</body>
</html> <!-- after -->
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>SriExampleApp</title>
<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="sri-example-app/config/environment" content="%7B%22modulePrefix%22%3A%22sri-example-app%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22/home%22%2C%22locationType%22%3A%22auto%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%7D%2C%22APP%22%3A%7B%22name%22%3A%22sri-example-app%22%2C%22version%22%3A%220.0.0+53d2d8de%22%7D%2C%22exportApplicationGlobal%22%3Afalse%7D" />
<link rel="stylesheet" href="/home/assets/vendor-d41d8cd98f00b204e9800998ecf8427e.css" integrity="sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==" >
<link rel="stylesheet" href="/home/assets/sri-example-app-d41d8cd98f00b204e9800998ecf8427e.css" integrity="sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==" >
</head>
<body>
<script src="/home/assets/vendor-5e921d36d45861ec49e17e670290803f.js" integrity="sha256-ELwDpLGC8S7kHpTHN7+9sk80T4hXoyDT/ElRaiW4hKI= sha512-pbtpLYyEb2KfHtwADvD4iG28+g92kloMpuOXZzatoqx6BId87tQZc7QxDtflJxX9LzntCeDd5b3jnV+BjM946g==" ></script>
<script src="/home/assets/sri-example-app-a2d5bce0ba33db7479a6697901cdd499.js" integrity="sha256-/77Nqfo+mI8ojYXIYngAq0Nl9VUMB/9xi565YUhhHn4= sha512-Kk+lMiZlIdc7L0z9BJoKTqK18hdjK+rWkeay7h19rUCC8zLcHh0Ix3FPz5Z8oTmnZ3QuwS+uD3aaGV9lnTUL0Q==" ></script>
</body>
</html> |
Right, isn't the expectation that rootURL has the same path in dev too? So it shouldn't start with a The SRI script will be receiving code like: Then when deployed you would get: Could you confirm @Turbo87? |
I have to admit I haven't used the SRI addon much yet so it's a bit hard for me to follow what's going on here. What you commented seems to make sense to me although nothings stopping you from using a different |
@Turbo87 I'm kinda lost why the file prefix needs to be taken into account here, the code currently strips off CDN prefixes as they won't be local file paths however the rootURL surely is part of the application structure is it not? |
are we talking about the structure on the file system? the |
Surely that is the use case for If that is the case @jasonmit the patch can probably just concat |
@jonathanKingston no, you need to think of assets and the ember router in different ways.
I think that depends on whether the user has |
So in the case where user has:
and:
Would files would be nested in:
If 1. then the code should be functioning correctly.
|
I think the answer to that question is 1) |
Hmm so it should be working correctly from my old understanding of the code.
And it would check the file
|
The rootURL does not indicate where the files are on the file system. So in my experience, it is #2. Consider an nginx server sitting in front of your app and in your nginx config you proxy all requests to /home to a webserver. The rootURL for your ember app needs to be /home so assets sources get routed to the correct app through nginx and URL get prefixed with /home so that URLs generated are mapped correctly. I don't think it's safe to assume fingerprint.prefix + rootURL since not all assets will have rootURL. And not all rootURL paths will have fingerprint.prefix (consider the exclude option to asset-rev). |
@jasonmit can't you change your live vs dev prefix? If you can't I'm not sure why you would need to stick the prefix on the file paths either. I just get the feeling this will add either lots more complexity or slow down everyone elses setups as you have to check two paths rather than one. |
The live and dev rootURLs are identical in this case since nginx is used within development. As for the complexity concern, I agree and that is why I propose adding a method where the consumer can implement the complexity on their end. By default the current functionality will remain the default implementation. The reason is, I would have to check at least 3 locations on the file system and even then I feel we're making too many assumption as people may have they're own aliases for asset paths. For example, an image resizing/compression service sitting in front of some image sources. ember-cli-sri would have no way of knowing how to look those up on the filesystem. |
You likely won't want it working on this compression service to be fair. I'm not convinced by the function however happy to review patches when you have them :) |
Good point. Contrived example but you can imagine someone setting up redirect middleware minus mutating the asset. Do you have any suggestions of an approach you would be more open on? I figured it offered the most flexibility without the perf hit of checking many permutations against the fs. I do believe some degree of rootURL support is needed as more will be flocking to it with base deprecated. I want to help get there with the least amount of churn |
Er I would keep the same default behaviour (up until someone points out this is a common use case etc). Then pass the function through to the other lib and move the code looking for files out into it's own function checking for a prefix function.
The code tries to do as many shortcuts as possible that are safe defaults as to give SRI to as many developers as possible without breaking their setups via I actually can't remember why this code path exists: https://github.com/jonathanKingston/broccoli-sri-hash/blob/master/index.js#L202 perhaps that could be cleaned up to remove an aditional file read too?! Feel free to ping me if none of this make sense / you need help etc :) |
Unsure what you mean, are you wondering why someone would change the The more complex case is handling rootURL + a CDN. Still unclear how to solve that elegantly, so I might defer on fixing that this time around. We'll likely need to tackle this anyway in the future, so happy to pick it back up in a month or so to land that feature. |
As in if you are going to provide an override function for developers by default it should just behave how the code currently does and not check more files than it needs to etc. |
I was just hit hard by this bug, and Jason's branches work perfectly. I think the fundamental issue is that rootURL has nothing to do with path on disk. In an app with a rootURL of "web", ember build still puts everything in There may be some more discussion about edge cases in this thread, but I believe these PRs are the right starting point. Also, I removed my rootURL and these branches still pick up the file. |
Currently, applications that depend on rootURL do not work well with ember-cli-sri. This PR enables support for rootURL.
The other half: jonathanKingston/broccoli-sri-hash#25