Subresource Integrity advice

sitespeedio / coach

Clear Eyes. Full Hearts. Can’t Lose.

MIT License

1.21k stars 64 forks source link

Subresource Integrity advice #78

Open soulgalore opened 8 years ago

soulgalore commented 8 years ago

As reported by @tobli this could be something for the coach: https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/ https://hacks.mozilla.org/2016/04/how-to-implement-sri-into-your-build-process/

We could add an advice a put it in the best practice category for now.

jdorfman commented 8 years ago

@soulgalore First I want to say how amazing this product is. Especially the little big details such as:

The page is using SPDY. Chrome will drop support for SPDY May 15th. Change to HTTP/2 asap.

Would you like the advice as a PR or a User Story written in Gherkin Lang? Let me know, can't wait to get this in.

soulgalore commented 8 years ago

thanks @jdorfman :) The good thing I think is that we know that something like the coach is never finished so will continue to add/change advice when browsers evolve.

If you could implement it and send a PR that would be great! @tobli and my work on sitespeed.io 4.0 will keep us busy for the coming months so if you have time to implement it, it would be great! And we can help out of course, there can be some docs that are missing. Ping me on Twitter/email or this issue :)

jdorfman commented 8 years ago

I think @jonathanKingston might be able to get this done faster than I can. I am going to send him an email.

jonathanKingston commented 8 years ago

Hey @jdorfman we should start an SRI anonymous club :). Thanks for pinging me.

I don't have the greatest amount of time at the moment however we can kick of the conversation at least.

Checking for validity probably makes sense here and advising if they have it wrong (not sure if multiple states for the message are exposable on the report card at the moment)

You have scripts without SRI, consider using
SRI setup is invalid
Well done etc.

For security related tests the amazing https://github.com/mozilla/http-observatory by @marumari is worth checking out as there will be massive overlap.

XhmikosR commented 8 years ago

I tried looking into this but since I'm on Windows I'm hitting #119.

Once that's sorted, perhaps with #118 for automated Windows testing, I will try to take a stab at this.