shakacode
diff --git a/‎CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/subresource_integrity.md‎
Lines changed: 54 additions & 0 deletions b/‎docs/subresource_integrity.md‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎lib/install/config/shakapacker.yml‎
Lines changed: 10 additions & 0 deletions b/‎lib/install/config/shakapacker.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎lib/shakapacker/configuration.rb‎
Lines changed: 4 additions & 0 deletions b/‎lib/shakapacker/configuration.rb‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎lib/shakapacker/helper.rb‎
Lines changed: 40 additions & 4 deletions b/‎lib/shakapacker/helper.rb‎
Lines changed: 40 additions & 4 deletions
diff --git a/‎lib/shakapacker/manifest.rb‎
Lines changed: 6 additions & 1 deletion b/‎lib/shakapacker/manifest.rb‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎package.json‎
Lines changed: 5 additions & 0 deletions b/‎package.json‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎package/config.js‎
Lines changed: 2 additions & 0 deletions b/‎package/config.js‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎package/environments/base.js‎
Lines changed: 25 additions & 2 deletions b/‎package/environments/base.js‎
Lines changed: 25 additions & 2 deletions
diff --git a/‎spec/dummy/package.json‎
Lines changed: 1 addition & 0 deletions b/‎spec/dummy/package.json‎
Lines changed: 1 addition & 0 deletions
@@ -8,6 +8,11 @@
 ## [Unreleased]
 Changes since the last non-beta release.
 
+
+### Added
+
+- Support for subresource integrity. [PR 570](https://github.com/shakacode/shakapacker/pull/570) by [panagiotisplytas](https://github.com/panagiotisplytas)
+
 ### Fixed
 
 - Install the latest major version of peer dependencies [PR 576](https://github.com/shakacode/shakapacker/pull/576) by [G-Rath](https://github.com/g-rath).
 
@@ -0,0 +1,54 @@
+# Subresource integrity
+It's a cryptographic hash that helps browsers check that the served js or css file has not been tampered in any way.
+
+[MDN - Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)
+
+## Important notes
+- If you somehow modify the file after the hash was generated, it will automatically be considered as tampered, and the browser will not allow it to be executed.
+- Enabling subresource integrity generation, will change the structure of `manifest.json`. Keep that in mind if you utilize this file in any other custom implementation.
+
+Before:
+```json
+{
+  "application.js": "/path_to_asset"
+}
+```
+
+After:
+```json
+{
+  "application.js": {
+    "src": "/path_to_asset",
+    "integrity": "<sha256-hash> <sha384-hash> <sha512-hash>"
+  }
+}
+```
+
+## Possible CORS issues
+Enabling subresource integrity for an asset, actually enforces CORS checks on that resource too. Which means that
+if you haven't set that up properly beforehand, it will probably lead to CORS errors with cached assets.
+
+[MDN - How browsers handle Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#how_browsers_handle_subresource_integrity)
+
+## Configuration
+
+By default, this setting is disabled, to ensure backwards compatibility, and let developers adapt at their own pace.
+This may change in the future, as it is a very nice security feature, and it should be enabled by default.
+
+To enable it, just add this in `shakapacker.yml`
+```yml
+  integrity:
+    enabled: true    
+```
+
+For further customization, you can also utilize the options `hash_functions` that control the functions used to generate 
+integrity hashes. And `cross_origin` that sets the cross-origin loading attribute.
+
+```yml
+  integrity:
+    enabled: true
+    hash_functions: ["sha256", "sha384", "sha512"]
+    cross_origin: "anonymous" # or "use-credentials"
+```
+
+This will utilize under the hood webpack-subresource-integrity plugin and will modify `manifest.json` to include integrity hashes.
@@ -55,6 +55,16 @@ default: &default
   # SHAKAPACKER_ASSET_HOST will override both configurations.
   # asset_host: custom-path
 
+  # Utilizing webpack-subresource-integrity plugin, will generate integrity hashes for all entries in manifest.json
+  # https://github.com/waysact/webpack-subresource-integrity/tree/main/webpack-subresource-integrity
+  integrity:
+    enabled: false
+    # Which cryptographic function(s) to use, for generating the integrity hash(es). Default sha-384. Other possible values sha256, sha512
+    hash_functions: ["sha384"]
+    # Default "anonymous". Other possible value "use-credentials"
+    # https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#cross-origin_resource_sharing_and_subresource_integrity
+    cross_origin: "anonymous"
+
 development:
   <<: *default
   compile: true
 
@@ -99,6 +99,10 @@ def asset_host
     )
   end
 
+  def integrity
+    fetch(:integrity)
+  end
+
   private
     def data
       @data ||= load
 
@@ -109,11 +109,11 @@ def javascript_pack_tag(*names, defer: true, async: false, **options)
     @javascript_pack_tag_loaded = true
 
     capture do
-      concat javascript_include_tag(*async, **options.dup.tap { |o| o[:async] = true })
+      render_tags(async, :javascript, **options.dup.tap { |o| o[:async] = true })
       concat "\n" if async.any? && deferred.any?
-      concat javascript_include_tag(*deferred, **options.dup.tap { |o| o[:defer] = true })
+      render_tags(deferred, :javascript, **options.dup.tap { |o| o[:defer] = true })
       concat "\n" if sync.any? && deferred.any?
-      concat javascript_include_tag(*sync, **options)
+      render_tags(sync, :javascript, options)
     end
   end
 
@@ -166,7 +166,9 @@ def stylesheet_pack_tag(*names, **options)
 
     @stylesheet_pack_tag_loaded = true
 
-    stylesheet_link_tag(*(requested_packs | appended_packs), **options)
+    capture do
+      render_tags(requested_packs | appended_packs, :stylesheet, options)
+    end
   end
 
   def append_stylesheet_pack_tag(*names)
@@ -238,4 +240,38 @@ def resolve_path_to_image(name, **options)
     rescue
       path_to_asset(current_shakapacker_instance.manifest.lookup!(name), options)
     end
+
+    def lookup_integrity(source)
+      (source.respond_to?(:dig) && source.dig("integrity")) || nil
+    end
+
+    def lookup_source(source)
+      (source.respond_to?(:dig) && source.dig("src")) || source
+    end
+
+    # Handles rendering javascript and stylesheet tags with integrity, if that's enabled.
+    def render_tags(sources, type, options)
+      return unless sources.present? || type.present?
+
+      sources.each.with_index do |source, index|
+        tag_source = lookup_source(source)
+
+        if current_shakapacker_instance.config.integrity[:enabled]
+          integrity = lookup_integrity(source)
+
+          if integrity.present?
+            options[:integrity] = integrity
+            options[:crossorigin] = current_shakapacker_instance.config.integrity[:cross_origin]
+          end
+        end
+
+        if type == :javascript
+          concat javascript_include_tag(tag_source, **options)
+        else
+          concat stylesheet_link_tag(tag_source, **options)
+        end
+
+        concat "\n" unless index == sources.size - 1
+      end
+    end
 end
@@ -67,7 +67,12 @@ def data
     end
 
     def find(name)
-      data[name.to_s].presence
+      return nil unless data[name.to_s].present?
+
+      return data[name.to_s] unless data[name.to_s].respond_to?(:dig)
+
+      # Try to return src, if that fails, (ex. entrypoints object) return the whole object.
+      data[name.to_s].dig("src") || data[name.to_s]
     end
 
     def full_pack_name(name, pack_type)
 
@@ -46,6 +46,7 @@
     "thenify": "^3.3.1",
     "webpack": "5.93.0",
     "webpack-assets-manifest": "^5.0.6",
+    "webpack-subresource-integrity": "^5.1.0",
     "webpack-merge": "^5.8.0"
   },
   "peerDependencies": {
@@ -60,6 +61,7 @@
     "terser-webpack-plugin": "^5.3.1",
     "webpack": "^5.76.0",
     "webpack-assets-manifest": "^5.0.6 || ^6.0.0",
+    "webpack-subresource-integrity": "^5.1.0",
     "webpack-cli": "^4.9.2 || ^5.0.0 || ^6.0.0",
     "webpack-dev-server": "^4.9.0 || ^5.0.0",
     "webpack-merge": "^5.8.0 || ^6.0.0"
@@ -70,6 +72,9 @@
     },
     "@types/webpack": {
       "optional": true
+    },
+    "webpack-subresource-integrity": {
+      "optional": true
     }
   },
   "packageManager": "[email protected]",
 
@@ -50,5 +50,7 @@ if (config.manifest_path) {
 } else {
   config.manifestPath = resolve(config.outputPath, "manifest.json")
 }
+// Ensure no duplicate hash functions exist in the returned config object
+config.integrity.hash_functions = [...new Set(config.integrity.hash_functions)]
 
 module.exports = config
@@ -86,7 +86,9 @@ const getPlugins = () => {
       writeToDisk: true,
       output: config.manifestPath,
       entrypointsUseAssets: true,
-      publicPath: config.publicPathWithoutCDN
+      publicPath: config.publicPathWithoutCDN,
+      integrity: config.integrity.enabled,
+      integrityHashes: config.integrity.hash_functions
     })
   ]
 
@@ -105,6 +107,22 @@ const getPlugins = () => {
     )
   }
 
+  if (
+    moduleExists("webpack-subresource-integrity") &&
+    config.integrity.enabled
+  ) {
+    const {
+      SubresourceIntegrityPlugin
+    } = require("webpack-subresource-integrity")
+
+    plugins.push(
+      new SubresourceIntegrityPlugin({
+        hashFuncNames: config.integrity.hash_functions,
+        enabled: isProduction
+      })
+    )
+  }
+
   return plugins
 }
 
@@ -121,7 +139,12 @@ module.exports = {
     // https://webpack.js.org/configuration/output/#outputhotupdatechunkfilename
     hotUpdateChunkFilename: "js/[id].[fullhash].hot-update.js",
     path: config.outputPath,
-    publicPath: config.publicPath
+    publicPath: config.publicPath,
+
+    // This is required for SRI to work.
+    crossOriginLoading: config.integrity.enabled
+      ? config.integrity.cross_origin
+      : false
   },
   entry: getEntryObject(),
   resolve: {
 
@@ -30,6 +30,7 @@
     "typescript": "^4.7.3",
     "webpack": "^5.76.0",
     "webpack-assets-manifest": "^5.1.0",
+    "webpack-subresource-integrity": "^5.1.0",
     "webpack-cli": "^4.9.2",
     "webpack-merge": "^5.8.0",
     "webpack-sources": "^3.2.3"
Original file line number	Diff line number	Diff line change
`@@ -50,5 +50,7 @@ if (config.manifest_path) {`
`50`	`50`	`} else {`
`51`	`51`	`config.manifestPath = resolve(config.outputPath, "manifest.json")`
`52`	`52`	`}`
	`53`	`+// Ensure no duplicate hash functions exist in the returned config object`
	`54`	`+config.integrity.hash_functions = [...new Set(config.integrity.hash_functions)]`
`53`	`55`
`54`	`56`	`module.exports = config`