#565 Provide optional SRI hash when displaying embed code #730
Conversation
… hash to docker-compose. Added UI&Integrity hash to audtiroum
auditorium/gulpfile.js
Outdated
| @@ -13,6 +13,7 @@ var buffer = require('vinyl-buffer') | |||
| var gap = require('gulp-append-prepend') | |||
| var Readable = require('stream').Readable | |||
| var linguasFile = require('linguas-file') | |||
| var CryptoJS = require('crypto-js') | |||
There was a problem hiding this comment.
As this is now exclusively running on the server, can we use the stdlib crypto module and not add a dependency?
| const snippetWithSRI = `<script async src="${window.location.origin}/script.js" data-account-id="${model.account.accountId}" integrity="sha256-${process.env.SCRIPT_INTEGRITY_HASH}"></script>` | ||
| const [useSnippetWithSRI, setActive] = useState(false); | ||
| let embeddedSnipped = useSnippetWithSRI ? snippetWithSRI : snippet; | ||
| let buttonText = useSnippetWithSRI ? 'Hide integrity hash' : 'Show with integrity hash'; |
There was a problem hiding this comment.
As Offen is translated into multiple languages, all copy needs to be localized properly. Doing this is relatively easy: a global __ function is available in all modules that you can wrap a string in, marking as "to be localized":
__('Hide integrity hash')
| @@ -59,17 +70,22 @@ const EmbedCode = (props) => { | |||
| <Paragraph class='ma0 mb3'> | |||
| {__('In case you are serving multiple domains from your Offen instance, please double check that the domain in this snippet matches the target account.')} | |||
| </Paragraph> | |||
| <div class="flex items-end"> | |||
| <div class="w-100 tr bb b--light-gray"> | |||
| <button onClick={toggleScriptDisplay} class='pointer w-100 w-auto-ns fw1 f7 tc bn dib br1 ph2 pv1 black bg-black-10'><span class={classnames('ml2', 'dib', 'label-toggle', 'label-toggle', !useSnippetWithSRI? null : 'label-toggle--rotate')}></span> {buttonText}</button> | |||
There was a problem hiding this comment.
With classnames you don't need to add ternary statements yourself, instead you can have the library conditionally apply classnames:
classnames('a', 'b' {'label-toggle--rotate': useSnippetWithSRI })
|
This pull request introduces 1 alert when merging ac23ced into c7aed87 - view on LGTM.com new alerts:
|
|
@m90 thank you for your feedback. Most importantly I changed towards the crypto library from node. Is there a special trick to invoke this behavior you mentioned? Also: currently the generated sha-256 hash always differs from the browser enforced integrity hash. Furthermore my formatter seems to differ a bit from yours. Which one do you use? |
The entire repo uses Line 67 in c7aed87 You can check whether
Not really a trick. If you look at the Line 111 in c7aed87 You can now do the same in the |
build/Dockerfile.build
Outdated
| WORKDIR /code/deps | ||
| RUN npm ci | ||
| COPY ./script /code/script | ||
| COPY ./auditorium /code/auditorium | ||
| COPY --from=script ./code/script/index.js /code/auditorium/script/index.js |
There was a problem hiding this comment.
This copies the entrypoint file when instead we need to copy the bundled versions. See my comment on how to do this.
There was a problem hiding this comment.
Shouldn't this invoke the behavior we need?
COPY --from=script /code/script/dist/index.js /script/script.js
There was a problem hiding this comment.
There was a problem hiding this comment.
To not bother you with more questions I'll need some time to work me through the build process. To be honest it is a lot magic for me right now.
I'm not quite sure how gulp works together with the dockerfile.build furthermore my overall gulp knowledge is very limited.
There was a problem hiding this comment.
If you have questions while doing so, don't worry about bothering me. In any case, take your time. Thanks.
|
This pull request introduces 1 alert when merging 4d37805 into c7aed87 - view on LGTM.com new alerts:
|
auditorium/gulpfile.js
Outdated
| return true | ||
| }, | ||
| transform: transforms.map(function (transform) { | ||
| if (transform === '@offen/l10nify' || (Array.isArray(transform) && transform[0] === '@offen/l10nify')) { |
There was a problem hiding this comment.
It would be good if you could undo these formatting only changes as well even if standard is ok with them. It'll be easier to understand what changed if we don't have the additional noise in the diff.
Hey, first draft for the implementation of an optional SRI hash for the script tag.
The last required step is not working yet (by that I mean pulling the embedding script into the auditorium build file stage to generate the hash). Hopefully I can finalize everything on the weekend and already add your feedback / improvements.
@hendr-ik if you want I'll also update the UI towards a using a simple checkbox.