Add support for Subresource Integrity

[tmaier]

Is your feature request related to a problem? Please describe.

Similar to rails/webpacker#323

Sprockets supported subresource integrity out of the box. It would be nice if

vite_javascript_tag 'application', integrity: true

worked the same.

Describe the solution you'd like Calculate the hash for each file and add it to the relevant tags

Describe alternatives you've considered None.

Additional context

• webpacker does not support it at the moment. This could be a nice differentiator. See rails/webpacker#323
• Github about SRI: https://github.blog/2015-09-19-subresource-integrity/

[ElMassimo]

Pull requests are welcome!

In terms of design:

• Should be an optional feature, preferably implemented as a separate Vite plugin
• The plugin would add the integrity hash as needed to the entries in the Vite-rendered manifest.json, and manifest-assets-json
• vite_ruby will parse this additional integrity field in each manifest entry
• Tag helpers can relay this integrity attribute to the appropriate tag helper in vite_rails, vite_rails_legacy, vite_padrino, and vite_hanami (if provided in the manifest entry)

This last point makes it so that the tag helpers are decoupled from the way the integrity attribute is calculated, making it possible to use third-party vite plugins instead of bundling this in vite-plugin-ruby (it could even be calculated by a Ruby script, which updates manifest.json).

For reference:

• Rollup Plugin
• Vite Plugin

These plugins are designed to modify html, but in this use case we only need an integrity hash to be assigned to each relevant manifest entry.

[ElMassimo]

@tmaier Given that this requires changes to public APIs in ViteRuby::Manifest, it will need to wait for the next major release.

Experimental support is available in the next branch, you can try it now by explicitly adding 4.0.0.alpha1 to your Gemfile:

gem 'vite_rails', '~> 4.0.0.alpha1'

You must also add vite-plugin-manifest-sri to your package.json and configure it in vite.config.ts:

import { defineConfig } from 'vite'
import RubyPlugin from 'vite-plugin-ruby'
import ManifestSRI from 'vite-plugin-manifest-sri'

export default defineConfig({
  plugins: [
    RubyPlugin(),
    ManifestSRI(),
  ],
})

[vladimirtemnikov]

@ElMassimo is this feature still not ready to release? Could be really helpful for security reasons.

[ElMassimo]

The implementation in 4.0.0.alpha1 lives in the next branch, and is "ready".

Given that this requires changes to public APIs in ViteRuby::Manifest, it will need to wait for the next major release.

This hasn't been a highly requested feature. I'm waiting for either breaking changes in Vite or something else that justifies releasing a new major.

[santosgagbegnon]

Hey @ElMassimo, is it possible to update the next branch to be based off the latest version of vite_rails? It looks like it's currently based off of the v3.0.8 which was released in 2022.

I'd like to use the Subresource integrity feature, but also need some of the fixes & features that were introduced in later releases (example)

Thanks!

[renchap]

Hi there!

Any news on this feature? Is there something I can do to help?

I am working on replacing Webpacker with Vite for Mastodon (see https://github.com/mastodon/mastodon/pull/24981) and SRI is a requirement for us.

[mjankowski]

Also curious here ... this feature seems like it's been done for ~2+ years, but hasn't been released yet?

Are you still hesitant to ship 4.0 with JUST this? If so, are you open to PRs that try to fold it into 3.x?

Separately - are there any other changes queueud up (I see some ruby version support changes in last few months, 3.0 is now EOL, etc...) which might help justify a 4.0?