This plugin will ensure that bundles have not been tampered with, and allow for trusted use of third-party hosting for bundles (such as a public CDN). The general implementation will be as follows:
[ ] add an additional provider with the following behavior:
[ ] on load: check for a global variable containing a map of bundle filenames to their SHA-1 hashes
[ ] on load: if global variable not found, notify the user with an alert() and set internal state such that any requests go to the next runtime bundle provider
[ ] on module request: if the module is not contained within a hashed bundle, fall back to the next runtime module provider
[ ] on module request: if module is contained within a hashed bundle, create an XHR request for the bundle in question, rather than a script tag
[ ] on request success: when XHR 200 response comes back, generate a SHA-1 hash of the bundle's raw text [1]
[ ] on request success: if the hash does not match, notify the user with an alert()
[ ] on request success: if the hash does match, create a new <script> tag with a src value of data:text/javascript,... [2]
[ ] add transform to emitRawBundles step
[ ] generate SHA-1 hashes of bundle.raw values [1]
[ ] create map of bundle filenames to SHA-1 hashes
[ ] append output file to array of bundles, which when loaded sets a global variable that contains the filename:SHA-1 map
Constraints:
script containing hashes must be loaded as a separate script or inlined into the HTML on initial page load
server hosting signed bundles must support XHR requests for the loaded site
Implement the
interlock-signed
plugin.This plugin will ensure that bundles have not been tampered with, and allow for trusted use of third-party hosting for bundles (such as a public CDN). The general implementation will be as follows:
alert()
and set internal state such that any requests go to thenext
runtime bundle providernext
runtime module provideralert()
<script>
tag with asrc
value ofdata:text/javascript,...
[2]transform
toemitRawBundles
stepbundle.raw
values [1]filename:SHA-1
mapConstraints:
[1] http://www.movable-type.co.uk/scripts/sha1.html [2] https://developer.mozilla.org/en-US/Add-ons/Code_snippets/Rosetta, line 45 of code sample