plugin-tools
plugin-tools copied to clipboard
grafana
Create Plugin: Support SRI in dynamic imported chunks
What this PR does / why we need it:
This PR adds and configures the webpack SRI plugin so any dynamically imported chunks are loaded with hash checks (subresource-integrity-checks) and crossorigin="anonymous". This adds an extra layer of security when loading plugin assets.
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
Plugin bundles that contain code-split chunks have their hashes set within the module.js file. e.g.
Combining this PR with the additional work of hashing the module.js, passing that hash to the frontend and then telling SystemJS to use it should give us a more secure loading strategy for plugins.
Which issue(s) this PR fixes:
Related: grafana/grafana-community-team/issues/15
Special notes for your reviewer:
📦 Published PR as canary version: Canary Versions
:sparkles: Test out this PR locally via:
npm install @grafana/[email protected]
# or
yarn add @grafana/[email protected]
Hello! 👋 This repository uses Auto for releasing packages using PR labels.
✨ This PR can be merged and will trigger a new minor release.
NOTE: When merging a PR with the release label please avoid merging another PR. For further information see here.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
![grafana-plugins-platform-bot[bot] avatar](https://avatars.githubusercontent.com/u/7195757?v=4 "Published by a pub.dev verified publisher"){kind=small}