grass icon indicating copy to clipboard operation
grass copied to clipboard

Published 20 hours ago verified publisher icon connorskees

add support for Subresource Integrity in grass::include!

Open prabirshrestha opened this issue 1 year ago • 4 comments

For more context refer to https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

prabirshrestha avatar Dec 31 '23 06:12 prabirshrestha

Could you expand a bit more on the ask here? You want grass::include! to return an object which contains the compiled CSS as a string and the base64 encoded hash of that string?

connorskees avatar Dec 31 '23 07:12 connorskees

I want to basically do something like this. Rather than me caching the hash would be good if the macro returned the object and stored the hash so it can be done during compile time.

<link rel="stylesheet" href="/style.css"
      integrity="sha256-vjnUh7+rXHH2lg/5vDY8032ftNVCIEC21vL6szrVw9M="
      crossorigin="anonymous">

Do note that only specific algorithms are supported by browsers. I'm ok for now if it supports only one of the algorithm. https://www.w3.org/TR/SRI/#cryptographic-hash-functions.

Conformant user agents must support the SHA-256, SHA-384 and SHA-512 cryptographic hash functions for use as part of a request’s integrity metadata and may support additional hash functions.

User agents should refuse to support known-weak hashing functions like MD5 or SHA-1 and should restrict supported hashing functions to those known to be collision-resistant. Additionally, user agents should re-evaluate their supported hash functions on a regular basis and deprecate support for those functions that have become insecure. See Hash collision attacks.

prabirshrestha avatar Dec 31 '23 07:12 prabirshrestha

Do you want grass::include! to compute the hash so that it's done at compile time or just to simplify your code? If it's the former, I think you can get away with using other libraries to do compile time sha256+base64 encoding.

https://docs.rs/sha2-const/latest/sha2_const/ and https://docs.rs/const_base/0.2.0/const_base/ seem to have the behavior you want. If these libraries don't work let me know and I'll put one that does on crates.io, since I think this is reasonable behavior to expect from the ecosystem.

If you want the latter (simplifying your code), I'm not super sure I'd want to add such functionality to grass::include!, since it adds dependencies on hashing+base64 encoding crates and makes the API more complicated.

connorskees avatar Dec 31 '23 08:12 connorskees

If other crates supports it, I can try using it. Might be just having the docs updated would be good.

prabirshrestha avatar Dec 31 '23 08:12 prabirshrestha

Closing this out as this isn't a feature grass will support directly. Please feel free to re-open or open another issue.

connorskees avatar Jan 16 '24 10:01 connorskees