Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add subresource integrity for JS and CSS assets #15096

Merged
merged 1 commit into from
Nov 6, 2020
Merged

Add subresource integrity for JS and CSS assets #15096

merged 1 commit into from
Nov 6, 2020

Conversation

Gargron
Copy link
Member

@Gargron Gargron commented Nov 5, 2020

Fix #2744

@ClearlyClaire
Copy link
Contributor

This breaks cross-origin loading of assets (e.g. when CDN_HOST is set). To fix that, the stylesheet_pack_tag calls need crossorigin: 'anonymous', which in turns requires the assets to be served with a Access-Control-Allow-Origin: * header.
Speaking of that last header, it seems dist/nginx.conf doesn't set those headers.

@Gargron Gargron force-pushed the feature-subresource-integrity branch from 0561fc9 to 36c33fd Compare November 6, 2020 03:34
@Gargron
Copy link
Member Author

Gargron commented Nov 6, 2020

Speaking of that last header, it seems dist/nginx.conf doesn't set those headers.

That config does not include anything for getting assets from a separate subdomain, so there is no reason to put that header in there. I believe the crossorigin stuff does not affect requests to the same origin.

@Gargron Gargron merged commit 9b1f2a4 into master Nov 6, 2020
@Gargron Gargron deleted the feature-subresource-integrity branch November 6, 2020 10:56
umonaca pushed a commit to umonaca/mastodon that referenced this pull request Nov 8, 2020
@Gargron @umonaca
Add subresource integrity for JS and CSS assets (mastodon#15096)
ad4c5af 
Fix mastodon#2744
@mashirozx
Copy link
Contributor

I think we should consider adding an ON/OFF option for this. My CDN force to use a CSS, JS and HTML code minify, this caused Failed to find a valid digest in the 'integrity' attribute for resource error on browser. TAT

@Gargron
Copy link
Member Author

Gargron commented Nov 9, 2020

Is there no way to disable minification in your CDN? Mastodon assets are already minified. The point of the integrity feature is to prevent the CDN from serving poisoned assets, e.g. inserting their own JS to your users without your knowledge.

A very complicated way around this would be to calculate the integrity hash for the files that your CDN serves, and put that into public/packs/manifest.json then reload mastodon-web. But, I realize this is a lot of effort for little gain.

@noellabo noellabo mentioned this pull request Dec 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ykzts ykzts ykzts approved these changes

@ClearlyClaire ClearlyClaire ClearlyClaire approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Subresource Integrity not working with webpack
4 participants
@Gargron @ClearlyClaire @mashirozx @ykzts