-
-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for subresource integrity #506
Comments
hey thanks for sharing this - I know vaguely of SRI but it's not something I've actively looked into, but I think if it's something we could make painless to do via Shakapacker (ideally to the point that it could just be on by default) I think that'd be a really awesome security win. I'll try to get sometime this month to look over your code in more detail and what it might take to get it integrated in - please feel free to post any updates here, and I'll do the same about any learnings I have :) |
@G-Rath Sounds good. I noticed that the Rails Sprockets gem has support for SRI, although its documentation states that the support is considered experimental at this point. It's an implementation to look at for ideas. |
Hi @G-Rath, did you have time to look into adding a configuration option for SRI? I am in the same position as @denisahearn - my company requires SRI to be implemented for our JS packs in order to remediate pen test feedback. This is reasonably high priority for us, so I'll look at @denisahearn's solution above and see if something similar would apply to our stack in the meantime. Any help with this greatly appreciated! Thanks. |
@james-robson no not yet sorry, though it's still on my todo (famous last words 😅) |
Ah, I know that feeling @G-Rath no worries! I managed to implement an asset helper similar to the above, I amended it slightly to override |
FWIW - When I opened this issue I mentioned that my hand-rolled solution still needed to go through my team's QA process. It did a while ago and we've been using it in production for a few months now. I don't recall that QA found any issues that required changing the code that I posted above. |
My company has asked me to implement subresource integrity security in our Rails application. We're using shakapacker/webpack for our JavaScript assets (Sprockets is handling the bundling of our stylesheets and images). After researching how to do this, I came to learn that SRI isn't a first class feature of Shakapacker, however there is some information out there that helped me to roll my own solution.
config/webpack/webpack.config.js
app/views/layouts/application.html.erb
app/helpers/asset_helper.rb
(Disclaimer: The view helper code above probably does not handle all scenarios. I wrote it to work with our Rails application and we still need to take it through our QA process. If anyone decides to use it, I highly suggest scrutinizing that code to make sure it is appropriate for your application.)
Desired behavior:
SRI support is a first-class feature in shakapacker, and easily enabled by doing something like this:
config/shakapacker.yml
view template
Actual behavior:
SRI support must be added through custom coding
Setup environment:
The text was updated successfully, but these errors were encountered: