offen icon indicating copy to clipboard operation
offen copied to clipboard
verified publisher icon offen

#565 Provide optional SRI hash when displaying embed code

Open raLaaaa opened this issue 3 years ago • 4 comments

Hey, first draft for the implementation of an optional SRI hash for the script tag.

image

The last required step is not working yet (by that I mean pulling the embedding script into the auditorium build file stage to generate the hash). Hopefully I can finalize everything on the weekend and already add your feedback / improvements.

@hendr-ik if you want I'll also update the UI towards a using a simple checkbox.

raLaaaa avatar Jul 28 '22 08:07 raLaaaa

This pull request introduces 1 alert when merging ac23ced5148cca23abde70f3bb986adb154954e4 into c7aed87b2746766346b6908434c6e9d4ae2c6df3 - view on LGTM.com

new alerts:

  • 1 for Unused variable, import, function or class

lgtm-com[bot] avatar Jul 29 '22 07:07 lgtm-com[bot]

@m90 thank you for your feedback. I hopefully tackled most of the stuff in the latest commits.

Most importantly I changed towards the crypto library from node. How ever copying the index.js from the script folder only worked for when running the script stage before the auditorium stage. Otherwise the file can not be found. ac23ced

Docker will figure out that the auditorium stage now depends on the script stage and wait for it to build.

Is there a special trick to invoke this behavior you mentioned?

Also: currently the generated sha-256 hash always differs from the browser enforced integrity hash. I assume that is because the browser generates the hash from a minified version (?) whereas I'm currently calculating the hash from the clear text script file. I'm working on that.

Furthermore my formatter seems to differ a bit from yours. Which one do you use?

raLaaaa avatar Jul 29 '22 07:07 raLaaaa

Furthermore my formatter seems to differ a bit from yours. Which one do you use?

The entire repo uses standard at version 14 https://github.com/offen/offen/blob/c7aed87b2746766346b6908434c6e9d4ae2c6df3/auditorium/package.json#L67 - it would be much appreciated if you could use this so the diff noise is as low as possible. Right now, it's a bit hard to tell which changes are formatting, and which ones are feature related.

You can check whether standard likes your changes by running the tests locally:

docker-compose run auditorium npm t

Is there a special trick to invoke this behavior you mentioned?

Not really a trick. If you look at the compiler stage of the build Dockerfile, you can see how it copies in the artifacts generated by the script stage here: https://github.com/offen/offen/blob/c7aed87b2746766346b6908434c6e9d4ae2c6df3/build/Dockerfile.build#L111

You can now do the same in the auditorium stage, copying these files to the location expected by the Gulpfile.

m90 avatar Jul 29 '22 15:07 m90

This pull request introduces 1 alert when merging 4d378057e201e7954450d3d26bc3ab09c6ec941d into c7aed87b2746766346b6908434c6e9d4ae2c6df3 - view on LGTM.com

new alerts:

  • 1 for Unused variable, import, function or class

lgtm-com[bot] avatar Aug 01 '22 11:08 lgtm-com[bot]