vite_ruby icon indicating copy to clipboard operation
vite_ruby copied to clipboard

Published 20 hours ago verified publisher icon ElMassimo

Add support for Subresource Integrity

Open tmaier opened this issue 3 years ago • 7 comments

Is your feature request related to a problem? Please describe.

Similar to rails/webpacker#323

Sprockets supported subresource integrity out of the box. It would be nice if

vite_javascript_tag 'application', integrity: true

worked the same.

Describe the solution you'd like Calculate the hash for each file and add it to the relevant tags

Describe alternatives you've considered None.

Additional context

  • webpacker does not support it at the moment. This could be a nice differentiator. See rails/webpacker#323
  • Github about SRI: https://github.blog/2015-09-19-subresource-integrity/

tmaier avatar Jan 13 '22 14:01 tmaier

Pull requests are welcome!

In terms of design:

  • Should be an optional feature, preferably implemented as a separate Vite plugin
  • The plugin would add the integrity hash as needed to the entries in the Vite-rendered manifest.json, and manifest-assets-json
  • vite_ruby will parse this additional integrity field in each manifest entry
  • Tag helpers can relay this integrity attribute to the appropriate tag helper in vite_rails, vite_rails_legacy, vite_padrino, and vite_hanami (if provided in the manifest entry)

This last point makes it so that the tag helpers are decoupled from the way the integrity attribute is calculated, making it possible to use third-party vite plugins instead of bundling this in vite-plugin-ruby (it could even be calculated by a Ruby script, which updates manifest.json).

For reference:

These plugins are designed to modify html, but in this use case we only need an integrity hash to be assigned to each relevant manifest entry.

ElMassimo avatar Jan 13 '22 15:01 ElMassimo

@tmaier Given that this requires changes to public APIs in ViteRuby::Manifest, it will need to wait for the next major release.

Experimental support is available in the next branch, you can try it now by explicitly adding 4.0.0.alpha1 to your Gemfile:

gem 'vite_rails', '~> 4.0.0.alpha1'

You must also add vite-plugin-manifest-sri to your package.json and configure it in vite.config.ts:

import { defineConfig } from 'vite'
import RubyPlugin from 'vite-plugin-ruby'
import ManifestSRI from 'vite-plugin-manifest-sri'

export default defineConfig({
  plugins: [
    RubyPlugin(),
    ManifestSRI(),
  ],
})

ElMassimo avatar Jan 18 '22 23:01 ElMassimo

@ElMassimo is this feature still not ready to release? Could be really helpful for security reasons.

vladimirtemnikov avatar Aug 03 '23 14:08 vladimirtemnikov

The implementation in 4.0.0.alpha1 lives in the next branch, and is "ready".

Given that this requires changes to public APIs in ViteRuby::Manifest, it will need to wait for the next major release.

This hasn't been a highly requested feature. I'm waiting for either breaking changes in Vite or something else that justifies releasing a new major.

ElMassimo avatar Aug 03 '23 14:08 ElMassimo

Hey @ElMassimo, is it possible to update the next branch to be based off the latest version of vite_rails? It looks like it's currently based off of the v3.0.8 which was released in 2022.

I'd like to use the Subresource integrity feature, but also need some of the fixes & features that were introduced in later releases (example)

Thanks!

santosgagbegnon avatar Sep 28 '23 21:09 santosgagbegnon

Hi there!

Any news on this feature? Is there something I can do to help?

I am working on replacing Webpacker with Vite for Mastodon (see https://github.com/mastodon/mastodon/pull/24981) and SRI is a requirement for us.

renchap avatar Jan 07 '24 09:01 renchap