From fbe0578e87e848566965839dc000d8ae24862ff0 Mon Sep 17 00:00:00 2001 From: Ivan Tammaro Date: Mon, 23 Nov 2020 16:27:07 +0100 Subject: [PATCH] Add subresource integrity --- config/webpack.config.js | 7 +++++++ package.json | 3 ++- yarn.lock | 9 ++++++++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/config/webpack.config.js b/config/webpack.config.js index dca7cf721..dd98729be 100644 --- a/config/webpack.config.js +++ b/config/webpack.config.js @@ -23,6 +23,7 @@ const ModuleNotFoundPlugin = require('react-dev-utils/ModuleNotFoundPlugin'); const ForkTsCheckerWebpackPlugin = require('react-dev-utils/ForkTsCheckerWebpackPlugin'); const typescriptFormatter = require('react-dev-utils/typescriptFormatter'); const SentryWebpackPlugin = require('@sentry/webpack-plugin'); +const SriPlugin = require('webpack-subresource-integrity'); const postcssNormalize = require('postcss-normalize'); @@ -195,6 +196,7 @@ module.exports = function (webpackEnv) { // this defaults to 'window', but by setting it to 'this' then // module chunks which are built will work in web workers as well. globalObject: 'this', + crossOriginLoading: 'anonymous', }, optimization: { minimize: isEnvProduction, @@ -666,6 +668,11 @@ module.exports = function (webpackEnv) { include: '.', ignore: ['node_modules', 'config', 'internals', 'scripts'], }), + // Sri only enabled in production as it can interfere with hot reloading + isEnvProduction && + new SriPlugin({ + hashFuncNames: ['sha256', 'sha384'], + }), ].filter(Boolean), // Some libraries import Node modules but don't use them in the browser. // Tell webpack to provide empty mocks for them so importing them works. diff --git a/package.json b/package.json index 8f2e7618f..62c9f7738 100644 --- a/package.json +++ b/package.json @@ -252,7 +252,8 @@ "@sentry/webpack-plugin": "1.13.0", "@types/mathjs": "6.0.5", "@types/socket.io-client": "1.4.34", - "node-sass": "4.14.1" + "node-sass": "4.14.1", + "webpack-subresource-integrity": "1.5.2" }, "babel": { "presets": [ diff --git a/yarn.lock b/yarn.lock index 8b946dbcb..07bc5d4a9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -17525,7 +17525,7 @@ webpack-manifest-plugin@2.2.0: object.entries "^1.1.0" tapable "^1.0.0" -webpack-sources@^1.1.0, webpack-sources@^1.4.0, webpack-sources@^1.4.1, webpack-sources@^1.4.3: +webpack-sources@^1.1.0, webpack-sources@^1.3.0, webpack-sources@^1.4.0, webpack-sources@^1.4.1, webpack-sources@^1.4.3: version "1.4.3" resolved "https://registry.yarnpkg.com/webpack-sources/-/webpack-sources-1.4.3.tgz#eedd8ec0b928fbf1cbfe994e22d2d890f330a933" integrity sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ== @@ -17533,6 +17533,13 @@ webpack-sources@^1.1.0, webpack-sources@^1.4.0, webpack-sources@^1.4.1, webpack- source-list-map "^2.0.0" source-map "~0.6.1" +webpack-subresource-integrity@1.5.2: + version "1.5.2" + resolved "https://registry.yarnpkg.com/webpack-subresource-integrity/-/webpack-subresource-integrity-1.5.2.tgz#e40b6578d3072e2d24104975249c52c66e9a743e" + integrity sha512-GBWYBoyalbo5YClwWop9qe6Zclp8CIXYGIz12OPclJhIrSplDxs1Ls1JDMH8xBPPrg1T6ISaTW9Y6zOrwEiAzw== + dependencies: + webpack-sources "^1.3.0" + webpack@4.42.0: version "4.42.0" resolved "https://registry.yarnpkg.com/webpack/-/webpack-4.42.0.tgz#b901635dd6179391d90740a63c93f76f39883eb8"