New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#565 Provide optional SRI hash when displaying embed code #730
base: development
Are you sure you want to change the base?
Conversation
… hash to docker-compose. Added UI&Integrity hash to audtiroum
auditorium/gulpfile.js
Outdated
@@ -13,6 +13,7 @@ var buffer = require('vinyl-buffer') | |||
var gap = require('gulp-append-prepend') | |||
var Readable = require('stream').Readable | |||
var linguasFile = require('linguas-file') | |||
var CryptoJS = require('crypto-js') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this is now exclusively running on the server, can we use the stdlib crypto
module and not add a dependency?
const snippetWithSRI = `<script async src="${window.location.origin}/script.js" data-account-id="${model.account.accountId}" integrity="sha256-${process.env.SCRIPT_INTEGRITY_HASH}"></script>` | ||
const [useSnippetWithSRI, setActive] = useState(false); | ||
let embeddedSnipped = useSnippetWithSRI ? snippetWithSRI : snippet; | ||
let buttonText = useSnippetWithSRI ? 'Hide integrity hash' : 'Show with integrity hash'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As Offen is translated into multiple languages, all copy needs to be localized properly. Doing this is relatively easy: a global __
function is available in all modules that you can wrap a string in, marking as "to be localized":
__('Hide integrity hash')
@@ -59,17 +70,22 @@ const EmbedCode = (props) => { | |||
<Paragraph class='ma0 mb3'> | |||
{__('In case you are serving multiple domains from your Offen instance, please double check that the domain in this snippet matches the target account.')} | |||
</Paragraph> | |||
<div class="flex items-end"> | |||
<div class="w-100 tr bb b--light-gray"> | |||
<button onClick={toggleScriptDisplay} class='pointer w-100 w-auto-ns fw1 f7 tc bn dib br1 ph2 pv1 black bg-black-10'><span class={classnames('ml2', 'dib', 'label-toggle', 'label-toggle', !useSnippetWithSRI? null : 'label-toggle--rotate')}></span> {buttonText}</button> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With classnames
you don't need to add ternary statements yourself, instead you can have the library conditionally apply classnames:
classnames('a', 'b' {'label-toggle--rotate': useSnippetWithSRI })
This pull request introduces 1 alert when merging ac23ced into c7aed87 - view on LGTM.com new alerts:
|
@m90 thank you for your feedback. Most importantly I changed towards the crypto library from node.
Is there a special trick to invoke this behavior you mentioned? Also: currently the generated sha-256 hash always differs from the browser enforced integrity hash. Furthermore my formatter seems to differ a bit from yours. Which one do you use? |
The entire repo uses Line 67 in c7aed87
You can check whether
Not really a trick. If you look at the Line 111 in c7aed87
You can now do the same in the |
build/Dockerfile.build
Outdated
WORKDIR /code/deps | ||
RUN npm ci | ||
COPY ./script /code/script | ||
COPY ./auditorium /code/auditorium | ||
COPY --from=script ./code/script/index.js /code/auditorium/script/index.js |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This copies the entrypoint file when instead we need to copy the bundled versions. See my comment on how to do this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this invoke the behavior we need?
COPY --from=script /code/script/dist/index.js /script/script.js
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a bundle created per locale (the script logs user facing messages in some cases which are localized) so we need t copy the entire dist directory and then pick the correct one in the build for auditorium
.
See:
Lines 43 to 44 in c7aed87
var dest = './dist/' + locale + '/' | |
var scriptTask = makeScriptTask(dest, locale) |
Lines 76 to 84 in c7aed87
return b | |
.plugin('tinyify') | |
.bundle() | |
.pipe(source('script.js')) | |
.pipe(buffer()) | |
.pipe(gap.prependText('*/')) | |
.pipe(gap.prependFile('./../banner.txt')) | |
.pipe(gap.prependText('/**')) | |
.pipe(gulp.dest(dest)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To not bother you with more questions I'll need some time to work me through the build process. To be honest it is a lot magic for me right now.
I'm not quite sure how gulp works together with the dockerfile.build
furthermore my overall gulp knowledge is very limited.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you have questions while doing so, don't worry about bothering me. In any case, take your time. Thanks.
This pull request introduces 1 alert when merging 4d37805 into c7aed87 - view on LGTM.com new alerts:
|
auditorium/gulpfile.js
Outdated
return true | ||
}, | ||
transform: transforms.map(function (transform) { | ||
if (transform === '@offen/l10nify' || (Array.isArray(transform) && transform[0] === '@offen/l10nify')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good if you could undo these formatting only changes as well even if standard is ok with them. It'll be easier to understand what changed if we don't have the additional noise in the diff.
Hey, first draft for the implementation of an optional SRI hash for the script tag.
The last required step is not working yet (by that I mean pulling the embedding script into the auditorium build file stage to generate the hash). Hopefully I can finalize everything on the weekend and already add your feedback / improvements.
@hendr-ik if you want I'll also update the UI towards a using a simple checkbox.