docsearch icon indicating copy to clipboard operation
docsearch copied to clipboard
verified publisher icon algolia

Support subresource integrity hash

Open jfitzgerald opened this issue 3 years ago • 1 comments

Describe the problem

My infosec team is requesting that we load the DocSearch JavaScript with the subresource integrity property. I noticed that the Instantsearch.js files support this, as seen in the code snippet here. However the DocSearch code snippet does not offer the same option.

Describe the solution

I realize that I can generate the hash myself, but that’s not a permanent solution if the source file could change without warning.

Can I use this integrity hash and expect the DocSearch JS file not to change?

script src="https://cdn.jsdelivr.net/npm/@docsearch/js@3" integrity="sha256-9YwDyZ6nUsvEuYEWMqPqiCUZ+3ykeo4PJ+wNy8NTIBM=%"

jfitzgerald avatar Sep 13 '22 15:09 jfitzgerald

Investigating this a bit, with how the jsdelivr CDN works, esp. as recommended in the setup instructions, it's impossible to associate SRI with an imprecise version. Per jsdelivr, https://www.jsdelivr.com/using-sri-with-dynamic-files says:

Do NOT use SRI with: version aliasing (version ranges) The purpose of version aliasing is getting automatic updates. This obviously means the code can change any time.

The next question is this: what's the danger of pinning to a particular version of the docsearch library?

One way I'm thinking about working around this for my use case, which is a static site, is to retrieve the latest version of the library from the npm registry API:

$ curl -s --header "Accept: application/vnd.npm.install-v1+json" https://registry.npmjs.org/@docsearch/js | \
  jq -r '.["dist-tags"].latest'
3.5.2

Then retrieve the content of jsdelivr's cache at that version and get the SRI hash:

$ curl -s --header "Accept: application/javascript" https://cdn.jsdelivr.net/npm/@docsearch/[email protected]/dist/umd/index.js | \
  shasum -b -a 256 | \
  awk '{ print $1 }' | \
  xxd -r -p | \
  base64
Y1WAhww0aFm/7xcgnD56E3jWSfKlRG9DIB2Tcs8exCQ=

Then, include the output of that in my generated script tag. This would safen the resource, creating only a threat vector at site build time.

Of course, this is a lot if the risk in falling behind docsearch versions is minimal.

colindean avatar Sep 13 '23 03:09 colindean