-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add native support for SRI #2377
Comments
@Exelord Hey Maciej, were you able to get that SRI plugin to work in Vite 2 at all? I’ve tried adding it to plugins (and, later to just, build.rollupOptions.plugins) but all I’m seeing is Update: I’ve now tried my Also, I just noticed that I’m getting a non-warning warning in the output, which might be related:
Vite config file: import os from 'os'
import fs from 'fs'
import path from 'path'
import { defineConfig } from 'vite'
import svelte from '@sveltejs/vite-plugin-svelte'
import sri from 'rollup-plugin-sri'
import html from '@rollup/plugin-html'
const certDirectory = path.join(os.homedir(), '.small-tech.org', 'auto-encrypt-localhost')
const cert = fs.readFileSync(path.join(certDirectory, 'localhost.pem'))
const key = fs.readFileSync(path.join(certDirectory, 'localhost-key.pem'))
// https://vitejs.dev/config/
export default defineConfig({
plugins: [svelte()],
server: {
port: 444,
https: {key, cert}
},
build: {
outDir: 'dist',
rollupOptions: {
plugins: [html(), sri()]
}
}
}) (Although, as previously mentioned, same results when not including html plugin and when including sri and/or html and sri in root plugins array instead of |
Hi Aral. Yeah, I had similar issue. I was not able to set it up on my own, that's why I raised this issue to handle SRI as a default Vite feature as it's not quite easy to do so independently, and it's definitely a core security feature. Very curios if somebody had achieved that, though :) |
@Exelord Thanks! Looking into it further, it appears that Vite has a special hook for transforming the index HTML file: https://vitejs.dev/guide/api-plugin.html#transformindexhtml – I’m going to take a look at modifying the plugin to make use of it. Also opened an issue there to track: JonasKruckenberg/rollup-plugin-sri#99 |
Quick heads up: I’m rolling my own very simple Vite plugin. Will update once it’s ready. |
Hello again, it’s out :) https://github.com/small-tech/vite-plugin-sri Also note that Jonas is also working on getting his more generic/configurable rollup plugin that mine was inspired by working with Vite too. You can keep an eye on the progress of that here: JonasKruckenberg/rollup-plugin-sri#99 |
@aral nice! @Exelord if everything you need from Vite to create this plugin is already available, let's close this issue. Consider sending the plugin to https://github.com/vitejs/awesome-vite once it is ready so others can discover it, and also share it in the #plugins channel in https://chat.vitejs.dev |
Im also proposing to make it a default in Vite :) Its a core security feature which shouldn't be optional. The whole community can benefit from it. |
Is it possible generate SRI directly to manifest file? Not just change in index HTML file (which I don't use it). |
@pepa-linha Created vite-plugin-manifest-sri, which might be useful for your use case. |
@ElMassimo Thanks, it looks good. (I created something similar, I have to modify the manifest more, because, for example, styles that are like |
Just like the |
Hello, just wanted to let the team know: the workarounds mentionned in this thread are not ideal. None of them support integrity hashes on dynamically loaded modules. This is blocking us from migrating from CRA to vite, as webpack-subresource-integrity (used internally by CRA) supports this, and it is a really important feature for us. I think whatever native solution is brought into vite should have parity with webpack-subresource-integrity if possible, thanks 🙏 ! |
"None of them support integrity hashes on dynamically loaded modules." - I may be in the process of making this general observation as well, but I am super-new to both Vite and Vue so I do think I'm still missing something in my understanding. I am adding my details to this thread in case others are observing something similar, looking for a little guidance myself, and offering to help, if I can. Specifically, it appears to me that something (...probably the Vue plug in? Or vite itsef?) adds additional javascript content to the output .js files AFTER the This appears to be the case empirically for both vite-plugin-sri and rollup-plugin-sri. I didn't actually try vite-plugin-manifest-sri, but by inspection it appears it will have the same issue. In any case, certainly looking forward to figuring out a good way to support SRI and CSP with a statically generated single page Vue application. If anyone can help me understand and configure a build without the additional Javascript, I'd greatly appreciate it. Alternately, if there is a mechanism for ensuring that And, bottom line: Thanks to everyone involved, with both Vite and the various existing SRI plug-ins; I appreciate what you have done here. Pinging for awareness, it looks like @estahn may take [over as maintainer]((JonasKruckenberg/rollup-plugin-sri#393) for @JonasKruckenberg, and @aral is already in this thread. -Tim |
@TimJohns I'm not sure However, this plugin is meant to be used with a backend integration, and not for apps where Vite generates |
Has there been any discussions about this? I'm thinking of trying to write a plugin for augmenting dynamic import capabilities, but it doesn't look like it would be possible. As far as I know, the only way would be to inject a configurable From the plugin api docs it seems possible to rewrite |
In my case, The vite-plugin-sri and rollup-plugin-sri plugins are not work. In vite/packages/vite/src/node/plugins/index.ts Line 100 in 733fab8
|
I make a plugin to resolve this problem |
Hi, |
If the Vite team is interested, I'm willing to submit a PR by integrating the plugin. |
Hey all, this seems a bit late - but this sort of ties into the whole CSP & SRI conversations that's happening here: I've just released V1 of Please check it out - any feedback is welcome! |
FYI, @RockiRider does your plugin do SRI as well? The way I see it, CSP and SRI are orthogonal (though both useful!) |
To continue, I'd be willing to help with this as well, @yoyo930021 also said they'd be willing to submit a PR. As this discussion is long and hard to follow, let me tag a core team member - @bluwy, sorry if this is spam, but could you please chime in as to what Vite team thinks? If there are people willing to make a PR that would still be work for you, but I think we would appreciate an official stance on whether this should be part of Vite. Thanks! |
any updates or modern workarounds guys? 😅 |
for security reason, we should Have this feature, both for generated and dynamic chunks. |
Is your feature request related to a problem? Please describe.
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
Describe the solution you'd like
Use https://github.com/JonasKruckenberg/rollup-plugin-sri by default to add tokens to the tags.
Describe alternatives you've considered
Guide, option
The text was updated successfully, but these errors were encountered: