nodejs · Uzlopak · Aug 12, 2025
diff --git a/lib/web/sri/sri.js b/lib/web/sri/sri.js
@@ -1,7 +1,5 @@
 'use strict'
 
-const assert = require('node:assert')
-
 /**
  * @typedef {object} Metadata
  * @property {SRIHashAlgorithm} alg - The algorithm used for the hash.
@@ -101,20 +99,19 @@ const bytesMatch = crypto === undefined
       //    metadata from parsedMetadata.
       const metadata = getStrongestMetadata(parsedMetadata)
 
-      // 4. For each item in metadata:
-      for (const item of metadata) {
       // 1. Let algorithm be the item["alg"].
-        const algorithm = item.alg
+      const algorithm = metadata[0].alg
 
+      // 3. Let actualValue be the result of applying algorithm to bytes .
+      const actualValue = applyAlgorithmToBytes(algorithm, bytes)
+
+      // 4. For each item in metadata:
+      for (const item of metadata) {
         // 2. Let expectedValue be the item["val"].
         const expectedValue = item.val
 
         // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e
         // "be liberal with padding". This is annoying, and it's not even in the spec.
-
-        // 3. Let actualValue be the result of applying algorithm to bytes .
-        const actualValue = applyAlgorithmToBytes(algorithm, bytes)
-
         // 4. If actualValue is a case-sensitive match for expectedValue,
         //    return true.
         if (caseSensitiveMatch(actualValue, expectedValue)) {
@@ -132,60 +129,65 @@ const bytesMatch = crypto === undefined
  */
 function getStrongestMetadata (metadataList) {
   // 1. Let result be the empty set and strongest be the empty string.
-  const result = []
+  // const result = []
   /** @type {Metadata|null} */
   let strongest = null
+  let len = 0
 
   // 2. For each item in set:
-  for (const item of metadataList) {
+  for (let i = 0; i < metadataList.length; i++) {
+    const item = metadataList[i]
     // 1. Assert: item["alg"] is a valid SRI hash algorithm token.
-    assert(isValidSRIHashAlgorithm(item.alg), 'Invalid SRI hash algorithm token')
+    // assert(isValidSRIHashAlgorithm(item.alg), 'Invalid SRI hash algorithm token')
 
     // 2. If result is the empty set, then:
-    if (result.length === 0) {
+    if (i === 0) {
       // 1. Append item to result.
-      result.push(item)
+      // result.push(item)
 
       // 2. Set strongest to item.
-      strongest = item
+      strongest = getSRIHashAlgorithmIndex(item.alg)
+
+      len = 1
 
       // 3. Continue.
       continue
     }
 
     // 3. Let currentAlgorithm be strongest["alg"], and currentAlgorithmIndex be
     // the index of currentAlgorithm in the valid SRI hash algorithm token set.
-    const currentAlgorithm = /** @type {Metadata} */ (strongest).alg
-    const currentAlgorithmIndex = getSRIHashAlgorithmIndex(currentAlgorithm)
+    // const currentAlgorithm = /** @type {Metadata} */ (strongest)
+    // const currentAlgorithmIndex = getSRIHashAlgorithmIndex(currentAlgorithm)
 
     // 4. Let newAlgorithm be the item["alg"], and newAlgorithmIndex be the
     // index of newAlgorithm in the valid SRI hash algorithm token set.
     const newAlgorithm = item.alg
     const newAlgorithmIndex = getSRIHashAlgorithmIndex(newAlgorithm)
 
     // 5. If newAlgorithmIndex is less than currentAlgorithmIndex, then continue.
-    if (newAlgorithmIndex < currentAlgorithmIndex) {
+    if (newAlgorithmIndex < strongest) {
       continue
 
     // 6. Otherwise, if newAlgorithmIndex is greater than
     // currentAlgorithmIndex:
-    } else if (newAlgorithmIndex > currentAlgorithmIndex) {
+    } else if (newAlgorithmIndex > strongest) {
       // 1. Set strongest to item.
-      strongest = item
+      strongest = newAlgorithmIndex
 
       // 2. Set result to « item ».
-      result[0] = item
-      result.length = 1
+      metadataList[0] = item
+      len = 1
 
     // 7. Otherwise, newAlgorithmIndex and currentAlgorithmIndex are the same
     // value. Append item to result.
     } else {
-      result.push(item)
+      metadataList[len++] = item
     }
   }
 
+  metadataList.length = len
   // 3. Return result.
-  return result
+  return metadataList
 }
 
 /**
@@ -207,9 +209,6 @@ function parseMetadata (metadata) {
     // 2. Let algorithm-expression be expression-and-options[0].
     const algorithmExpression = expressionAndOptions[0]
 
-    // 3. Let base64-value be the empty string.
-    let base64Value = ''
-
     // 4. Let algorithm-and-value be the result of splitting algorithm-expression on U+002D (-).
     const algorithmAndValue = [algorithmExpression.slice(0, 6), algorithmExpression.slice(7)]
 
@@ -221,6 +220,9 @@ function parseMetadata (metadata) {
       continue
     }
 
+    // 3. Let base64-value be the empty string.
+    let base64Value = ''
+
     // 7. If algorithm-and-value[1] exists, set base64-value to
     // algorithm-and-value[1].
     if (algorithmAndValue[1]) {

diff --git a/test/sri/get-strongest-metadata.js b/test/sri/get-strongest-metadata.js
@@ -64,12 +64,12 @@ describe('getStrongestMetadata', () => {
     assert.deepEqual(result, [])
   })
 
-  test('should throw when invalid hash algorithm is provided', () => {
-    assert.throws(() => getStrongestMetadata([
-      { alg: 'sha1024', val: 'sha1024-xyz' }
-    ]), {
-      name: 'AssertionError',
-      message: 'Invalid SRI hash algorithm token'
-    })
-  })
+  // test('should throw when invalid hash algorithm is provided', () => {
+  //   assert.throws(() => getStrongestMetadata([
+  //     { alg: 'sha1024', val: 'sha1024-xyz' }
+  //   ]), {
+  //     name: 'AssertionError',
+  //     message: 'Invalid SRI hash algorithm token'
+  //   })
+  // })
 })