parcel-bundler / parcel

The zero configuration build tool for the web. 📦🚀

https://parceljs.org

MIT License

43.3k stars 2.25k forks source link

Subresource Integrity #2003

Open robsonsobral opened 5 years ago

robsonsobral commented 5 years ago

Feature Request

Hi! Does Parcel support Subresource Integrity?

🔦 Context

I'm still testing and reading about Parcel (yes, I started last weekend) and couldn't find anything about it.

💻 Code Sample

🌍 Your Environment

Software	Version(s)
Parcel
Node
npm/Yarn
Operating System

DeMoorJasper commented 5 years ago

It currently does not

_{Sent with GitHawk}

robsonsobral commented 5 years ago

Thank you, @DeMoorJasper . 😞

Taym95 commented 5 years ago

Hey @DeMoorJasper, I would like to work on this issue, if you don't mind I would like you to guide me a little bit!

DeMoorJasper commented 5 years ago

@Taym95 awesome, the html transforms are being done inside assets/HTMLAsset https://github.com/parcel-bundler/parcel/blob/master/src/assets/HTMLAsset.js

You might wanna look at how the name replacing got implemented, as this would need the hash of the final bundles. (and HTMLAsset only has access to asset hashes of the JS files) Not even sure this is possible, didn't realise it when I originally flagged this as good first issue

Taym95 commented 5 years ago

Oops!

mischnic commented 5 years ago

Not even sure this is possible

HTMLPackager would have to run after all childBundles are completely packaged. That isn't the case. First attempt here: https://github.com/parcel-bundler/parcel/tree/subres-integrity

krnlde commented 5 years ago

Mhm, I got the feeling SRI only makes sense when using CORS or external dependencies (like CDNs). What would be the benefits in checksuming the files in the same domain?

jonathannen commented 5 years ago

I've written a package to handle SRI for parcel: https://www.npmjs.com/package/parcel-plugin-subresource-integrity

Give it a try and feel free to ping me with an issue if you get stuck.

muelli commented 4 years ago

cool. it would really be nice if Parcel did it natively.

CxRes commented 2 years ago

Would it be possible to enable this in v2? I was trying with posthtml-sri, but that did not work. You already are calculating hashes by default, it should be as simple as tacking it onto a integrity attribute.

bartTC commented 1 year ago

I solved this by running it as a separate process after the parcel build:

e.g:

npm install posthtml-cli posthtml-sri
npx posthtml -u posthtml-sri --posthtml-sri.basePath=build/ build/index.html

rvcarlig commented 11 months ago

I've written a package to handle SRI for parcel: https://www.npmjs.com/package/parcel-plugin-subresource-integrity

Give it a try and feel free to ping me with an issue if you get stuck.

@jonathannen, does this package still work with v2?