ityuany
commented
9 months ago compilation.hooks.beforeRuntimeRequirements need support
Open ityuany opened 9 months ago
ityuany
commented
9 months ago compilation.hooks.beforeRuntimeRequirements need support
hardfist
commented
9 months ago compilation.hooks.beforeRuntimeRequirements is not easy support in the near future. may need find some workaround
stale[bot]
commented
7 months ago This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!
pjean
commented
7 months ago Revive this issue because we will not able to adopt rspack without this feature due internal security constraints in our firm.
hardfist
commented
7 months ago @pjean https://www.rspack.dev/config/plugins.html#htmlrspackplugin supports sri, if you need sri you can use rspack.HtmlRspackPlugin for workaround
pjean
commented
7 months ago Ok, I'm missed that support by this plugin. Thank you
stale[bot]
commented
5 months ago This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!
Braden1996
commented
4 months ago Bumping this :-) We generate a hydrated HTML doc on request (and manually manage integrity of top-level scripts), so cannot really use the aforementioned plugin. Would be great if RSPack supported webpack-subresource-integrity as it's the one thing keeping us on Webpack for production.
import {RsbuildPlugin, mergeRsbuildConfig} from "@rsbuild/core"
import {SubresourceIntegrityPlugin} from "webpack-subresource-integrity"
import baseConfig from "./rsbuild.config"
export function pluginSubresourceIntegrityPlugin(): RsbuildPlugin {
return {
name: "plugin-subresource-integrity-plugin",
setup(api) {
api.modifyBundlerChain(async (chain) => {
chain
.plugin("subresource-integrity-plugin")
.use(SubresourceIntegrityPlugin, [{hashFuncNames: ["sha256", "sha384"]}])
})
},
}
}
export default mergeRsbuildConfig(baseConfig, {
html: {
crossorigin: "anonymous",
},
plugins: [pluginSubresourceIntegrityPlugin()],
})@chenjiahan is it possible for rsbuild to support webpack-subresource-integrity in the forked html-webpack-plugin out of box
chenjiahan
commented
4 months ago Currently html-rspack-plugin maintains the same API as html-webpack-plugin, so we have no plan to support SRI in this plugin.
In this way we are able to provide support for SRI:
Fork webpack-subresource-integrity to rspack-subresource-integrity.
Add a new HtmlPlugin option to set the html plugin instance. This change is to solve the problem that webpack-subresource-integritycouples with html-webpack-plugin.
Try replace beforeRuntimeRequirements hook with other hooks.
Passing HtmlPlugin instance of Rsbuild to the rspack-subresource-integrity:
import { SubresourceIntegrityPlugin } from "rspack-subresource-integrity";
export function pluginSubresourceIntegrityPlugin(): RsbuildPlugin {
return {
name: "plugin-subresource-integrity-plugin",
setup(api) {
api.modifyBundlerChain(async (chain, { HtmlPlugin }) => {
chain
.plugin("subresource-integrity-plugin")
.use(SubresourceIntegrityPlugin, [{
hashFuncNames: ["sha256", "sha384"]},
HtmlPlugin,
])
})
},
}
}I will try to get the above solution ready in the next two weeks.
chenjiahan
commented
4 months ago I have forked the webpack-subresource-integrity and finished most of the tasks.
The forked repo is: https://github.com/rspack-contrib/rspack-subresource-integrity
The current blocker is that Rspack doesn't support the updateHash hook of RealContentHashPlugin, but webpack-subresource-integrity depends on it (see https://github.com/rspack-contrib/rspack-subresource-integrity/blob/main/webpack-subresource-integrity/src/index.ts#L122-L127)
@ahabhgk can Rspack supports this hook?
ahabhgk
commented
4 months ago Can support but:
optimization.realContentHash is enabled, the result should still correct when realContentHash is disabled. I want to know is/why this hook important for the plugin?chenjiahan
commented
4 months ago the result should still correct when realContentHash is disabled
It is recommended to always enable realContentHash when using SRI, see webpack-subresource-integrity - Caveats for more information.
I want to know is/why this hook important for the plugin?
I currently can't determine the impact of lacking this hook. I tried bypassing this hook, but it resulted in the plugin not working.
Anyway, I will try some alternative solutions.
Braden1996
commented
3 months ago the result should still correct when realContentHash is disabled
It is recommended to always enable realContentHash when using SRI, see webpack-subresource-integrity - Caveats for more information.
I want to know is/why this hook important for the plugin?
I currently can't determine the impact of lacking this hook. I tried bypassing this hook, but it resulted in the plugin not working.
Anyway, I will try some alternative solutions.
Hey @chenjiahan, apologies for the bump, just wondering if you've been able to figure anything out on this? :)
chenjiahan
commented
3 months ago Sorry I don't have time to do this yet, I will restart the work soon.
chenjiahan
commented
1 month ago Rsbuild now provides the security.sri option to support SRI.
It is still difficult to make webpack-subresource-integrity to work in Rspack, as Rspack lacks some key hooks such as RealContentHashPlugin.getCompilationHooks(compilation).updateHash.
So if you need to use SRI, it is recommended to use Rsbuild.
What problem does this feature solve?
Used to prevent carrier hijacking.
support webpack-subresource-integrity
What does the proposed API of configuration look like?
none