Changeset 3416389
- Timestamp:
- 12/10/2025 12:26:04 PM (2 months ago)
- Location:
- auto-sri/trunk
- Files:
-
- 3 edited
-
auto-sri.php (modified) (1 diff)
-
includes/class-auto-sri.php (modified) (5 diffs)
-
readme.txt (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
auto-sri/trunk/auto-sri.php
r3408972 r3416389 3 3 * Plugin Name: Auto SRI 4 4 * Description: Automatically adds Subresource Integrity (SRI) to external scripts and styles, while safely excluding dynamic content such as Google reCAPTCHA and Google Fonts. 5 * Version: 1.95 * Version: 2.0 6 6 * Author: Zafir Sk Heerah 7 7 * License: GPLv2 or later -
auto-sri/trunk/includes/class-auto-sri.php
r3408972 r3416389 12 12 // Output buffer to catch ALL scripts (raw + injected) 13 13 add_action('template_redirect', [__CLASS__, 'start_buffer']); 14 15 // Admin Settings 16 add_action('admin_menu', [__CLASS__, 'add_admin_menu']); 17 add_action('admin_init', [__CLASS__, 'settings_init']); 14 18 } 15 19 … … 49 53 } 50 54 51 // ============================ 52 // GOOGLE EXCLUSIONS 53 // ============================ 54 55 // 1. Google reCAPTCHA (dynamic) 56 if (preg_match('#google\.com/recaptcha#i', $url)) { 57 return $full; 58 } 59 60 // 2. Google Fonts CSS (dynamic) 61 if (strpos($url, 'fonts.googleapis.com') !== false) { 62 return $full; 63 } 64 65 // 3. Google reCAPTCHA subresources 66 if (strpos($url, 'gstatic.com/recaptcha') !== false) { 67 return $full; 68 } 69 70 // 4. WordPress.com widgets (dynamic) 71 if (strpos($url, 'widgets.wp.com') !== false) { 72 return $full; 73 } 74 75 // 5. Dynamic concatenated resources 76 if (strpos($url, '/_static/??') !== false) { 55 // Check exclusions 56 if (self::is_excluded($url)) { 77 57 return $full; 78 58 } … … 111 91 } 112 92 113 // ============================ 114 // GOOGLE EXCLUSIONS 115 // ============================ 116 117 // 1. Google Fonts CSS — dynamic content, not SRI compatible 118 if (strpos($url, 'fonts.googleapis.com') !== false) { 119 return $full; 120 } 121 122 // 2. Google Fonts font files (safe to SRI, but they are loaded by CSS) 123 if (strpos($url, 'fonts.gstatic.com') !== false) { 124 return $full; 125 } 126 127 // 3. WordPress.com widgets (dynamic) 128 if (strpos($url, 'widgets.wp.com') !== false) { 129 return $full; 130 } 131 132 // 4. Dynamic concatenated resources 133 if (strpos($url, '/_static/??') !== false) { 134 return $full; 135 } 136 137 // ============================ 93 // Check exclusions 94 if (self::is_excluded($url)) { 95 return $full; 96 } 138 97 139 98 $sri = AutoSRI::get_sri_hash($url); … … 168 127 } 169 128 170 // ============================ 171 // GOOGLE EXCLUSIONS 172 // ============================ 173 174 // reCAPTCHA 175 if (preg_match('#google\.com/recaptcha#i', $src)) { 129 // Check exclusions 130 if (self::is_excluded($src)) { 176 131 return $tag; 177 132 } 178 179 // Google Fonts stylesheet180 if (strpos($src, 'fonts.googleapis.com') !== false) {181 return $tag;182 }183 184 // Google Fonts font files185 if (strpos($src, 'fonts.gstatic.com') !== false) {186 return $tag;187 }188 189 // WordPress.com widgets (dynamic)190 if (strpos($src, 'widgets.wp.com') !== false) {191 return $tag;192 }193 194 // Dynamic concatenated resources195 if (strpos($src, '/_static/??') !== false) {196 return $tag;197 }198 199 // ============================200 133 201 134 $sri = self::get_sri_hash($src); … … 224 157 225 158 /** 159 * Check if the URL is excluded 160 */ 161 public static function is_excluded($url) { 162 // ============================ 163 // GOOGLE EXCLUSIONS (Hardcoded) 164 // ============================ 165 166 // 1. Google reCAPTCHA 167 if (preg_match('#google\.com/recaptcha#i', $url)) { 168 return true; 169 } 170 171 // 2. Google Fonts CSS 172 if (strpos($url, 'fonts.googleapis.com') !== false) { 173 return true; 174 } 175 176 // 3. Google reCAPTCHA subresources / specific font files 177 if (strpos($url, 'gstatic.com/recaptcha') !== false || strpos($url, 'fonts.gstatic.com') !== false) { 178 return true; 179 } 180 181 // 4. WordPress.com widgets 182 if (strpos($url, 'widgets.wp.com') !== false) { 183 return true; 184 } 185 186 // 5. Dynamic concatenated resources 187 if (strpos($url, '/_static/??') !== false) { 188 return true; 189 } 190 191 // ============================ 192 // USER DEFINED EXCLUSIONS 193 // ============================ 194 $user_exclusions = get_option('auto_sri_exclusions', ''); 195 if (!empty($user_exclusions)) { 196 $lines = explode("\n", $user_exclusions); 197 foreach ($lines as $line) { 198 $line = trim($line); 199 if (empty($line)) continue; 200 201 // Simple substring match 202 if (stripos($url, $line) !== false) { 203 return true; 204 } 205 } 206 } 207 208 return false; 209 } 210 211 /** 212 * Add Admin Menu 213 */ 214 public static function add_admin_menu() { 215 add_options_page( 216 'Auto SRI Settings', 217 'Auto SRI', 218 'manage_options', 219 'auto-sri', 220 [__CLASS__, 'settings_page_html'] 221 ); 222 } 223 224 /** 225 * Register Settings 226 */ 227 public static function settings_init() { 228 register_setting('auto_sri', 'auto_sri_exclusions'); 229 230 add_settings_section( 231 'auto_sri_section', 232 __('Exclusions', 'auto-sri'), 233 null, 234 'auto_sri' 235 ); 236 237 add_settings_field( 238 'auto_sri_exclusions', 239 __('Excluded URLs (one per line)', 'auto-sri'), 240 [__CLASS__, 'exclusions_callback'], 241 'auto_sri', 242 'auto_sri_section' 243 ); 244 } 245 246 /** 247 * Callback for the exclusions field 248 */ 249 public static function exclusions_callback() { 250 $value = get_option('auto_sri_exclusions', ''); 251 ?> 252 <textarea name="auto_sri_exclusions" rows="10" cols="50" class="large-text code"><?php echo esc_textarea($value); ?></textarea> 253 <p class="description">Enter part of the URL to exclude. For example: <code>ads.google.com</code> or <code>my-dynamic-script.js</code>.</p> 254 <?php 255 } 256 257 /** 258 * Settings Page HTML 259 */ 260 public static function settings_page_html() { 261 if (!current_user_can('manage_options')) { 262 return; 263 } 264 ?> 265 <div class="wrap"> 266 <h1><?php echo esc_html(get_admin_page_title()); ?></h1> 267 <form action="options.php" method="post"> 268 <?php 269 settings_fields('auto_sri'); 270 do_settings_sections('auto_sri'); 271 submit_button('Save Settings'); 272 ?> 273 </form> 274 </div> 275 <?php 276 } 277 278 /** 226 279 * Compute or get cached SRI hash 227 280 */ -
auto-sri/trunk/readme.txt
r3408972 r3416389 4 4 Requires at least: 5.0 5 5 Tested up to: 6.8 6 Stable tag: 1.96 Stable tag: 2.0 7 7 License: GPLv2 or later 8 8 License URI: https://www.gnu.org/licenses/gpl-2.0.html … … 86 86 == Changelog == 87 87 88 = 2.0 = 89 * Added settings page to allow user-defined URL exclusions 90 * Refactored exclusion logic for better maintainability (Unit tested) 91 88 92 = 1.9 = 89 93 * Added admin panel exclusion - SRI no longer applies in wp-admin … … 128 132 == Upgrade Notice == 129 133 130 = 1.9=131 Ad min panel exclusion added. WordPress.com widgets and dynamic concatenated resources now properly excluded to prevent integrity errors.134 = 2.0 = 135 Added settings page for user-defined exclusions. Refactored exclusion logic.
Note: See TracChangeset
for help on using the changeset viewer.