fix: omit integrity hashes for local vendor plugins#964
Merged
Conversation
Coverage Report for CI Build 28303488568Coverage remained the same at 97.451%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
|
Congrats on merging your first pull request here! 🎉 How awesome! |
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: omit SRI for local vendor assets
Problem
When
vendors.plugins: local, the theme emits the hardcodedintegrityhashes from
_vendors.ymlon self-hosted vendor<link>/<script>tags.Those hashes are computed for the CDN builds. As soon as the locally
bundled files differ byte-for-byte from the CDN build the hash was computed
for. For example when the vendor library is updated independently of the theme,
the browser's Subresource Integrity check fails, blocks every vendor asset,
and the page renders blank.
Fix
Subresource Integrity only adds value for cross-origin CDN assets, where
it protects against a compromised third party. Self-hosted (
local) files areserved same-origin, so SRI provides little benefit there and is exactly what
breaks.
So in
localmode we simply dropintegrity(andcrossorigin) insteadof carrying a hash that can mismatch:
vendors[key] = { url : links[plugins] || links.cdnjs, - integrity: value.integrity + integrity: plugins === 'local' ? undefined : value.integrity };The
next_vendorshelper already omits both attributes when the hash isabsent, so no other change is needed. CDN modes are unaffected — they keep
using the hardcoded
_vendors.ymlhashes.Notes
that computed hashes via
@next-theme/plugins, so the dependency onUpdate dependencies and calculate correct integrity hashes for local files plugins#347 is dropped.
scripts/events/lib/vendors.js.Testing
vendors.plugins: localwith vendor versions that differ from the CDNhashes: assets now load (previously blank page); generated tags carry no
integrity/crossorigin.vendors.plugins: cdnjs(and other CDN providers): unchanged —integrityand
crossoriginstill emitted from_vendors.yml.