Fixes #16 - do not report links unless they conform to HTML spec for SRI

4ARMED · Aug 8, 2024 · 6d41f35 · 6d41f35
1 parent bde9269
commit 6d41f35
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 3 deletions.
diff --git a/sricheck/sricheck.py b/sricheck/sricheck.py
@@ -126,12 +126,19 @@ def get_remote_resource_tags(self, html):
 
         if self.skip_checks is True:
             script_tags = [tag for tag in soup.find_all(['script'], attrs={'src':True})]
-            link_tags = [tag for tag in soup.find_all(['link'], attrs={'href':True})]
+            link_tags = [tag for tag in soup.find_all(['link'], attrs={
+                'href':True,
+                'rel': lambda x: x is not None and x in ['stylesheet', 'preload', 'modulepreload'],
+            })]
             resource_tags.extend(script_tags)
             resource_tags.extend(link_tags)
         else:
             script_tags = [tag for tag in soup.find_all(['script'], attrs={'src':True, 'integrity':None})]
-            link_tags = [tag for tag in soup.find_all(['link'], attrs={'href':True, 'integrity':None})]
+            link_tags = [tag for tag in soup.find_all(['link'], attrs={
+                'href':True, 
+                'integrity':None,
+                'rel': lambda x: x is not None and x in ['stylesheet', 'preload', 'modulepreload'],
+            })]
             resource_tags.extend(script_tags)
             resource_tags.extend(link_tags)
 

diff --git a/tests/unit/test_parsing.py b/tests/unit/test_parsing.py
@@ -21,4 +21,28 @@ def test_script_tag_on_third_party_with_sri_returns_no_results(self):
         check = SRICheck("https://www.4armed.com")
         html = """<html><head><script crossorigin="anonymous" integrity="sha384-qkIfm9UUNrOzzGFh3YtL/KOHBwDNjW00Iwd0LK/DAsdmiOWRUfXBRl/s1Rtn9h8/" src="https://cdn.cloudflare.com/script.js"></script></head></html>"""
         remote_resource_tags = check.get_remote_resource_tags(html)
-        self.assertEqual(len(remote_resource_tags), 0)
+        self.assertEqual(len(remote_resource_tags), 0)
+
+    def test_rel_icon_returns_no_results(self):
+        check = SRICheck("https://www.4armed.com")
+        html = """<html><head><link href="https://www.example.com/favicon.png" rel="icon" type="image/png" /></head></html>"""
+        remote_resource_tags = check.get_remote_resource_tags(html)
+        self.assertEqual(len(remote_resource_tags), 0)
+
+    def test_rel_stylesheet_returns_result(self):
+        check = SRICheck("https://www.4armed.com")
+        html = """<html><head><link href="https://www.example.com/style.css" rel="stylesheet" /></head></html>"""
+        remote_resource_tags = check.get_remote_resource_tags(html)
+        self.assertEqual(len(remote_resource_tags), 1)
+
+    def test_rel_preload_returns_result(self):
+        check = SRICheck("https://www.4armed.com")
+        html = """<html><head><link href="https://www.example.com/style.css" rel="preload" as="stylesheet" /></head></html>"""
+        remote_resource_tags = check.get_remote_resource_tags(html)
+        self.assertEqual(len(remote_resource_tags), 1)
+
+    def test_rel_modulepreload_returns_result(self):
+        check = SRICheck("https://www.4armed.com")
+        html = """<html><head><link href="https://cdn.cloudflare.com/script.js" rel="modulepreload"></script></head></html>"""
+        remote_resource_tags = check.get_remote_resource_tags(html)
+        self.assertEqual(len(remote_resource_tags), 1)