(SECURITY) Allow use of "integrity" and "crossorigin" attributes when specifying script dependencies

[strazto]

Resolves #101 - Use of such attributes are considered best-practise for security when referencing scripts stored at remote servers:

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

[wch]

For htmlDependency(), the value of the script can currently be a vector of multiple JS files, as in:

htmlDependency(
  name = "lib2",
  version = "1.0",
  src = list(href = "https://cdn.com/libs"), 
  script = c(
    "js/lib2.js",
    "js/lib2-extra.js"
  )
)

Here's a set of cases that would need to work:

renderDependencies(
  list(
    # Single .js file with integrity and crossorigin
    htmlDependency(
      name = "lib1",
      version = "1.0",
      src = list(href = "https://cdn.com/libs"), 
      script = c(
        "js/lib1.js",
        integrity = "asdf",
        crossorigin = "anonymous"
      )
    ),

    # Multiple .js files
    htmlDependency(
      name = "lib2",
      version = "1.0",
      src = list(href = "https://cdn.com/libs"), 
      script = c(
        "js/lib2.js",
        "js/lib2-extra.js"
      )
    ),

    # Multiple .js files, one with integrity, crossorigin
    htmlDependency(
      name = "lib3",
      version = "1.0",
      src = list(href = "https://cdn.com/libs"), 
      script = list(
        c(
          "js/lib3.js",
          integrity = "asdf",
          crossorigin = "anonymous"
        ),
        "js/lib3-extra.js"
      )
    ),
    
    # Multiple .js files, all with integrity, crossorigin;
    # one in list, one in character vector
    htmlDependency(
      name = "lib4",
      version = "1.0",
      src = list(href = "https://cdn.com/libs"), 
      script = list(
        list(
          "js/lib4.js",
          integrity = "asdf",
          crossorigin = "anonymous"
        ),
        c(
          "js/lib4-extra.js",
          integrity = "asdf",
          crossorigin = "anonymous"
        )
      )
    )
  )
)

It would also be helpful to have examples in the docs that illustrate how to provide integrity and crossorigin. (The docs for htmlDependency don't currently have any examples, but it would benefit from having some.)

[strazto]

Thanks for the quick response, & for the feedback - I already discovered that the script can be a character vector the hard way, when I was trying to use my fork w/ kableExtra & got errors on its bootstrap dep.

[strazto]

It sounds like the way forward is as follows:

if script is a named list with fields: src, integrity, crossorigin, turn those into a list, and nest it in script

For each element item of script:
if item is a list
check item for names & transform into attributes
else
put item directly into script tags

I'll modify the test cases to support the character vector of scripts you mentioned, as well as the flavours of script tags we've discused

[strazto]

For my documentation of the script tag- I don't have time to look up the Rd spec on writing lists, and I usually use markdown for my docs, so the lists will need to be reformated, but this is ready to pull besides that @wch

[wch]

In addition to the other comments, I think there also be some tests for non-list input, to ensure that it's handled correctly.

[cpsievert]

To make this change safer and easier to reason about, consider adding an early exit here, something like:

if (is.character(script)) {
  return(renderCharacterScript(script, srcpath, encodeFunc, hrefFilter))
}

With renderCharacterScript() defined as:

renderCharacterScript <- function(script, path, encodeFunc, hrefFilter) {
  paste0(
    '<script src="',
    htmlEscape(hrefFilter(file.path(path, encodeFunc(script)))),
    "'></script>"
  )
}

You could then also reuse this function when you go to render the more complex list case

[strazto]

I don't really see how that could be used for the more complex list case.

The llist case aims to support instances such as:

renderScript(list("s1.js", list(src = "s2.js"), list(src = "s3.js", integrity = "hash", crossorigin = "anonymous")))

<script src="s1.js"></script>
<script src="s2.js"></script>
<script src="s3.js" integrity="hash" crossorigin="anonymous"></script>

or:

renderScript(list(src = "s3.js", integrity = "hash", crossorigin = "anonymous"))

<script src="s3.js" integrity="hash" crossorigin="anonymous"></script>

These accept mixed use of character vectors, nested lists, & pure lists.

Unless I'm mistaken, the change you're proposing would mean I'd have to duplicate the actual templating pattern for the case of unnamed character vectors, and named lists.

[strazto]

@wch @cpsievert the requested changes have been addressed, except for #187 (comment) , on which I disagree (or perhaps misunderstood) the requested change.

Should be ready for pull, let me know if you'd like me to squash some of the history down.

[strazto]

Cleaned & reopened this in #188