search

web-infra-dev / rspack

The fast Rust-based web bundler with webpack-compatible API 🦀️
https://rspack.dev
MIT License
9.73k stars 559 forks source link

support webpack-subresource-integrity #4381

Open ityuany opened 1 year ago

ityuany commented 1 year ago

What problem does this feature solve?

Used to prevent carrier hijacking.

support webpack-subresource-integrity

What does the proposed API of configuration look like?

none

ityuany commented 1 year ago

compilation.hooks.beforeRuntimeRequirements need support

hardfist commented 1 year ago

compilation.hooks.beforeRuntimeRequirements is not easy support in the near future. may need find some workaround

stale[bot] commented 10 months ago

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

pjean commented 10 months ago

Revive this issue because we will not able to adopt rspack without this feature due internal security constraints in our firm.

hardfist commented 10 months ago

@pjean https://www.rspack.dev/config/plugins.html#htmlrspackplugin supports sri, if you need sri you can use rspack.HtmlRspackPlugin for workaround

pjean commented 10 months ago

Ok, I'm missed that support by this plugin. Thank you

stale[bot] commented 8 months ago

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

Braden1996 commented 7 months ago

Bumping this :-) We generate a hydrated HTML doc on request (and manually manage integrity of top-level scripts), so cannot really use the aforementioned plugin. Would be great if RSPack supported webpack-subresource-integrity as it's the one thing keeping us on Webpack for production.

CleanShot 2024-03-12 at 23 43 22

import {RsbuildPlugin, mergeRsbuildConfig} from "@rsbuild/core"
import {SubresourceIntegrityPlugin} from "webpack-subresource-integrity"

import baseConfig from "./rsbuild.config"

export function pluginSubresourceIntegrityPlugin(): RsbuildPlugin {
    return {
        name: "plugin-subresource-integrity-plugin",
        setup(api) {
            api.modifyBundlerChain(async (chain) => {
                chain
                    .plugin("subresource-integrity-plugin")
                    .use(SubresourceIntegrityPlugin, [{hashFuncNames: ["sha256", "sha384"]}])
            })
        },
    }
}

export default mergeRsbuildConfig(baseConfig, {
    html: {
        crossorigin: "anonymous",
    },
    plugins: [pluginSubresourceIntegrityPlugin()],
})
hardfist commented 7 months ago

@chenjiahan is it possible for rsbuild to support webpack-subresource-integrity in the forked html-webpack-plugin out of box

chenjiahan commented 7 months ago

Currently html-rspack-plugin maintains the same API as html-webpack-plugin, so we have no plan to support SRI in this plugin.

In this way we are able to provide support for SRI:

  1. Fork webpack-subresource-integrity to rspack-subresource-integrity.

  2. Add a new HtmlPlugin option to set the html plugin instance. This change is to solve the problem that webpack-subresource-integritycouples with html-webpack-plugin.

  3. Try replace beforeRuntimeRequirements hook with other hooks.

  4. Passing HtmlPlugin instance of Rsbuild to the rspack-subresource-integrity:

import { SubresourceIntegrityPlugin } from "rspack-subresource-integrity";

export function pluginSubresourceIntegrityPlugin(): RsbuildPlugin {
    return {
        name: "plugin-subresource-integrity-plugin",
        setup(api) {
            api.modifyBundlerChain(async (chain, { HtmlPlugin }) => {
                chain
                    .plugin("subresource-integrity-plugin")
                    .use(SubresourceIntegrityPlugin, [{
                       hashFuncNames: ["sha256", "sha384"]},
                       HtmlPlugin,
                     ])
            })
        },
    }
}

I will try to get the above solution ready in the next two weeks.

chenjiahan commented 7 months ago

I have forked the webpack-subresource-integrity and finished most of the tasks.

The forked repo is: https://github.com/rspack-contrib/rspack-subresource-integrity

The current blocker is that Rspack doesn't support the updateHash hook of RealContentHashPlugin, but webpack-subresource-integrity depends on it (see https://github.com/rspack-contrib/rspack-subresource-integrity/blob/main/webpack-subresource-integrity/src/index.ts#L122-L127)

@ahabhgk can Rspack supports this hook?

ahabhgk commented 7 months ago

Can support but:

  1. affect performance, basically every asset will run this hook
  2. this hook shouldn't affect the result, because the hook runs only when optimization.realContentHash is enabled, the result should still correct when realContentHash is disabled. I want to know is/why this hook important for the plugin?
chenjiahan commented 7 months ago

the result should still correct when realContentHash is disabled

It is recommended to always enable realContentHash when using SRI, see webpack-subresource-integrity - Caveats for more information.

I want to know is/why this hook important for the plugin?

I currently can't determine the impact of lacking this hook. I tried bypassing this hook, but it resulted in the plugin not working.

Anyway, I will try some alternative solutions.

Braden1996 commented 6 months ago

the result should still correct when realContentHash is disabled

It is recommended to always enable realContentHash when using SRI, see webpack-subresource-integrity - Caveats for more information.

I want to know is/why this hook important for the plugin?

I currently can't determine the impact of lacking this hook. I tried bypassing this hook, but it resulted in the plugin not working.

Anyway, I will try some alternative solutions.

Hey @chenjiahan, apologies for the bump, just wondering if you've been able to figure anything out on this? :)

chenjiahan commented 6 months ago

Sorry I don't have time to do this yet, I will restart the work soon.

chenjiahan commented 5 months ago

Rsbuild now provides the security.sri option to support SRI.

It is still difficult to make webpack-subresource-integrity to work in Rspack, as Rspack lacks some key hooks such as RealContentHashPlugin.getCompilationHooks(compilation).updateHash.

So if you need to use SRI, it is recommended to use Rsbuild.

stale[bot] commented 3 months ago

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!