SRI attribute doesn't get applied to a dynamically-generated javascript tag

[connorshea]

I have a dynamically-generated JS tag, as follows:

= javascript_include_tag page_specific_javascripts, {"data-turbolinks-track" => true}

Changing this to either of the following will not generate the integrity attribute for the script tag:

= javascript_include_tag page_specific_javascripts, {:integrity => true, "data-turbolinks-track" => true}
# => <script src="/assets/network/application-58e82c6d57b3f05eb6fde81af942c4e4522281b5dad32a8fa5aeab0ae36c458b.js" data-turbolinks-track="true"></script>

= javascript_include_tag page_specific_javascripts, integrity: true
# => <script src="/assets/network/application-58e82c6d57b3f05eb6fde81af942c4e4522281b5dad32a8fa5aeab0ae36c458b.js"></script>

Environment details:

• rails 4.2.6
• sprockets-rails 3.0.4
• Using HTTPS in my dev environment, other JS and CSS integrity tags work just fine, only this dynamic one is causing problems.
• The page_specific_javascripts variable is always a manifest file added to the precompile step, I can provide more information/code if need be.

---

Feel free to ask if anything here isn't clear, and this in [GitLab](), which is fully open source so you can poke around (here's the javascript_include_tag in question and the page_specific_javascripts helper).

I haven't pushed or merged the SRI work yet, and I can provide a much smaller example app if it's deemed necessary.

Thanks, Connor Shea

[rafaelfranca]

Which version of sprockets? On seg, 20 de jun de 2016 at 16:28 Connor Shea notifications@github.com wrote:

I have a dynamically-generated JS tag, as follows:

= javascript_include_tag page_specific_javascripts, {"data-turbolinks-track" => true}

Changing this to either of the following will not generate the integrity attribute for the script tag:

= javascript_include_tag page_specific_javascripts, {:integrity => true, "data-turbolinks-track" => true}

=>

= javascript_include_tag page_specific_javascripts, integrity: true

=>

Environment details:

• rails 4.2.6
• sprockets-rails 3.0.4
• Using HTTPS in my dev environment, other JS and CSS integrity tags work just fine, only this dynamic one is causing problems.
• The page_specific_javascripts variable is always a manifest file added to the precompile step, I can provide more information/code if need be.

---

Feel free to ask if anything here isn't clear, and this in GitLab, which is fully open source so you can poke around (here's the javascript_include_tag in question https://github.com/gitlabhq/gitlabhq/blob/30524901e28176e96e7c0d1a710508367ff99d9f/app/views/layouts/_head.html.haml#L33 and the page_specific_javascripts helper https://github.com/gitlabhq/gitlabhq/blob/30524901e28176e96e7c0d1a710508367ff99d9f/app/helpers/javascript_helper.rb ).

I haven't pushed or merged the SRI work yet, and I can provide a much smaller example app if it's deemed necessary.

Thanks, Connor Shea

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/rails/sprockets-rails/issues/359, or mute the thread https://github.com/notifications/unsubscribe/AAC66BV6psbOK33uL8Tb5fDzh8roITPNks5qNunbgaJpZM4I6CiV .

[connorshea]

@rafaelfranca Sprockets 3.6.0

[connorshea]

I tried implementing it like this:

module JavascriptHelper
  def page_specific_javascript_tag(js)
    javascript_include_tag asset_path(js), { integrity: true, "data-turbolinks-track" => true }
  end
end

where the asset is added inline to the page like:

# In the <head>
- if content_for?(:page_specific_javascripts)
  = yield :page_specific_javascripts

# On the page
= page_specific_javascript_tag('graphs/application.js')

Unfortunately, that doesn't work either. Doesn't seem to be a turbolinks problem, because if I just use javascript_include_tag asset_path(js), integrity: true it will do the same thing (not show any integrity attribute).

I'll put together an example app (without HAML) and see if I can reproduce the problem. I'd really like to get this working properly.

[connorshea]

Here's my example app: https://github.com/connorshea/sprockets-sri-example

Screenshot of the problem occurring:

It's using my fork of sprockets-rails for the time being because otherwise it would require HTTPS.

The problem can be seen at the /welcome/index route.

Important files/bits of code:

• assets.debug is set to false, files won't get the integrity attribute otherwise.
• application.html.erb with the page_specific_javascripts content
• the view for welcome#index where the welcome/application.js file is added

The purpose of the page_specific_javascripts method is to load certain scripts only on certain pages, which is why it needs to work this way.

Please ask me if you have any questions at all. Other than the changes I mentioned, there aren't any differences between this and a default Rails 4.2.6 app.

[reedloden]

We're seeing something similar, and I suspect it's related...

  <%= stylesheet_link_tag frontend_stylesheet_path("frontend.css"), media: "all", integrity: true %>
  <%= stylesheet_link_tag "vendor.css", media: "all", integrity: true %>

The vendor.css gets the integrity attribute added fine, but the frontend.css one does not include the attribute at all. frontend_stylesheet_path() just returns the path to the file based on our asset manifest (that comes from webpack).

[dtangeeda]

This issue of not generating the checksum(hash) for SRI occurs only in local build when using "bundle exec rails s". But it does generate it in production mode. Pls try running the bundle exec in prod mode.