search

DevToys-app / DevToys

A Swiss Army knife for developers.
https://devtoys.app/
MIT License
26.68k stars 1.42k forks source link

Subresource Integrity Hash Generator #507

Open kfrancis opened 2 years ago

kfrancis commented 2 years ago

What's the Problem?

When securing a site, one feature you can use is an SRI hash on your scripts so the browser will block them if they get modified.

Solution/Idea

Implement a new generator for Subresource Integrity.

Given an HTTPS URL, read the content and generate the hash of the content.

Example

URL: https://code.jquery.com/jquery-3.6.0.min.js

SHA-256 hash: sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4= Full SHA-256 script tag:

<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>

SHA-384 hash: sha384-vtXRMe3mGCbOeY7l30aIg8H9p3GdeSe4IFlP6G8JMa7o7lXvnz3GFKzPxzJdPfGK Full SHA-384 script tag:

<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha384-vtXRMe3mGCbOeY7l30aIg8H9p3GdeSe4IFlP6G8JMa7o7lXvnz3GFKzPxzJdPfGK" crossorigin="anonymous"></script>

SHA-512 hash: sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ== Full SHA-512 script tag: 

<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ==" crossorigin="anonymous"></script>

22-04-f5x7y-1651153240

Alternatives

https://www.srihash.org/

Priorities

Capability Priority
This proposal will allow developers to generate an SRI hash given a secure URL Must
This proposal will allow developers to copy the generated hash only Should
This proposal will allow developers to copy the completed script link Could

DevToys Version

Version 1.0.6.0 | X64 | RELEASE | c032ebb | c032ebb

Comments

No response

kfrancis commented 1 year ago

Any particular reason @veler?

veler commented 1 year ago

Hi, Somehow, it looks like my answer got lost. Sorry about that. Long story short, my understanding is that in order to do this tool, an internet connection would be needed. DevToys needs to stay completely offline so we wouldn't want to add a tool that needs to download or upload anything.

That said, I wonder if the Checksum Generator tool could help with it? How different is that?

kfrancis commented 1 year ago

Right, it is just a checksum - if you could pick the file locally, that would work too though I think you're right, it doesn't sound like a good fit.

veler commented 1 year ago

Checksum Generator tool already accept local files.

image

One thing however: when I tested it yesterday, I found that https://www.srihash.org/ was providing a different hash for a same given file. Not sure what differs here.

kfrancis commented 1 year ago

My guess would be how the content is read to generate the checksum, this is the example they use:

openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A

but yes, I see the same thing - so could we possibly get the ability to generate that checksum offline then?