search

mozilla / remote-newtab

Remotely-hosted New Tab Page
https://mozilla.github.io/remote-newtab/src/
Mozilla Public License 2.0
15 stars 7 forks source link

Implement SRI #133

Open oyiptong opened 8 years ago

oyiptong commented 8 years ago

Implement Subresource Integrity for the index.html and subsequent pages

oyiptong commented 8 years ago

here's @dougt's contribution for a build-step that adds the relevant bits to our compiled pages:

var replaceStream = require('replacestream')
  , fs = require('fs')
  , path = require('path')
  , crypto = require('crypto')
  , key = 'big easy key'

 function addIntegrityAttr() {

    var buffer = fs.readFileSync(arguments[1]);

    var hash = crypto.createHash('sha256', key);
    hash.update(buffer)

    return arguments[0] + " integrity=\"sha256-" + hash.digest('hex') + "\"";
}

fs.createReadStream(path.join(__dirname, 'index.html'))
  .pipe(replaceStream(/<script.*src="(.*?)"/g, addIntegrityAttr))
  .pipe(replaceStream(/<link.*href="(.*?)"/g, addIntegrityAttr))
  .pipe(process.stdout);
marcoscaceres commented 8 years ago

@dougt, yeah, something like that would be great.

franziskuskiefer commented 8 years ago

@oyiptong I think we should use at least sha384 here

oyiptong commented 8 years ago

excellent. sha384 it is then.