Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Subresource Integrity to Snippet #823

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Subresource Integrity to Snippet #823

wants to merge 1 commit into from

Conversation

drewmendenhall
Copy link

@drewmendenhall drewmendenhall commented Feb 4, 2020
edited
Loading

This change protects the loading of rollbar.js via the Browser JS Snippet from the cdn attack vector via Subresource Integrity.

I made a few changes to the build system in order to make this happen:

  • The webpack config that builds the snippet has been broken out into a separate config file. This config also exports a function so that the manifest can be read later in the build pipeline.
  • webpack-assets-manifest outputs the sha256 hash of the file which ends up on the cdn (minified vanilla config) to a file dist/manifest.json
  • Grunt builds rollbar.js via the webpack node api, not the grunt-webpack. This is done because the snippet build depends on the assets output from the vanilla build.
    • I'm pretty rusty with Grunt, so I couldn't find a good way to get things to work "the grunt way". I can put up another WIP branch if you'd like.

It might be nice to leverage multi-compiler mode in order to avoid reading from disk. Also, I'm not sure if it's useful to publish dist/manifest.json.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@drewmendenhall