Compressed files - integrity problem #125
Comments
I suspect you have a different problem if the hash doesn't match, since browsers compute the hash for the uncompressed asset. We've been using SRI together with compression (with just a single hash value computed from the uncompressed asset) for years without problems, and I'm sure many/most other people do too. It would be best if you could make a repository to demonstrate the issue, preferably just using this plugin and compression-webpack-plugin (without Angular). |
|
Here's a simple demo with compression-webpack-plugin - works fine. |
|
I'm closing this, feel free to reopen but if you do, please provide a demo or test case. |
Hi, in my Angular 9 app I'm using ngx-build-plus for extending internal webpack configuration, because I want to pre-built also gzip and brotli files with this plugin
compression-webpack-plugin. Everything works fine, gzipped and brotlied files are ok. The problem is when I try to build Angular application with
--subresource-integrityflag. Adding this flag it simply enables this webpack-subresource-integrity plugin under the hood in Angular CLI and outputs integrity attributes for script and style elements in index.html.Then the problem is that this plugin computes integrity hashes from original files but not compressed ones. If browser supports gzip or brotli encoding, then server sent those static assets (js, css, ...) compressed instead of original one so the problem is that hash does not match. The question is, if it is possible to solve it somehow. As you can see in this proposal, there is possibility to use multiple values of same hash. So is it possible to collaborate with compression-webpack-plugin, so this plugin outputs all possible hashes for 1 file (original, gzipped, brotli, etc.). Then from what is written here and in proposal, seems that browsers should match only one from those and everything should work. Thanks.
The text was updated successfully, but these errors were encountered: