Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Subresource Integrity #176

Closed
tmaier opened this issue Jan 13, 2022 · 12 comments
Closed

Add support for Subresource Integrity #176

tmaier opened this issue Jan 13, 2022 · 12 comments
Labels
enhancement New feature or request

Comments

@tmaier
Copy link

tmaier commented Jan 13, 2022

Is your feature request related to a problem? Please describe.

Similar to rails/webpacker#323

Sprockets supported subresource integrity out of the box. It would be nice if

vite_javascript_tag 'application', integrity: true

worked the same.

Describe the solution you'd like
Calculate the hash for each file and add it to the relevant tags

Describe alternatives you've considered
None.

Additional context

@ElMassimo

This comment has been minimized.

@ElMassimo ElMassimo added the enhancement New feature or request label Jan 13, 2022
@ElMassimo ElMassimo changed the title Subresource Integrity Add support for Subresource Integrity Jan 15, 2022
@ElMassimo
Copy link
Owner

@tmaier Given that this requires changes to public APIs in ViteRuby::Manifest, it will need to wait for the next major release.

Experimental support is available in the next branch, you can try it now by explicitly adding 4.0.0.alpha1 to your Gemfile:

gem 'vite_rails', '~> 4.0.0.alpha1'

You must also add vite-plugin-manifest-sri to your package.json and configure it in vite.config.ts:

import { defineConfig } from 'vite'
import RubyPlugin from 'vite-plugin-ruby'
import ManifestSRI from 'vite-plugin-manifest-sri'

export default defineConfig({
  plugins: [
    RubyPlugin(),
    ManifestSRI(),
  ],
})

@ElMassimo ElMassimo added the planned: 4.0 To be released in 4.0 label Jan 18, 2022
@vladimirtemnikov
Copy link
Contributor

@ElMassimo is this feature still not ready to release? Could be really helpful for security reasons.

@ElMassimo
Copy link
Owner

ElMassimo commented Aug 3, 2023

The implementation in 4.0.0.alpha1 lives in the next branch, and is "ready".

Given that this requires changes to public APIs in ViteRuby::Manifest, it will need to wait for the next major release.

This hasn't been a highly requested feature. I'm waiting for either breaking changes in Vite or something else that justifies releasing a new major.

@santosgagbegnon
Copy link

Hey @ElMassimo, is it possible to update the next branch to be based off the latest version of vite_rails? It looks like it's currently based off of the v3.0.8 which was released in 2022.

I'd like to use the Subresource integrity feature, but also need some of the fixes & features that were introduced in later releases (example)

Thanks!

@renchap
Copy link

renchap commented Jan 7, 2024

Hi there!

Any news on this feature? Is there something I can do to help?

I am working on replacing Webpacker with Vite for Mastodon (see mastodon/mastodon#24981) and SRI is a requirement for us.

@mjankowski
Copy link
Contributor

Also curious here ... this feature seems like it's been done for ~2+ years, but hasn't been released yet?

Are you still hesitant to ship 4.0 with JUST this? If so, are you open to PRs that try to fold it into 3.x?

Separately - are there any other changes queueud up (I see some ruby version support changes in last few months, 3.0 is now EOL, etc...) which might help justify a 4.0?

@smotraghi-shopify
Copy link

Hi @ElMassimo , just wanted to join the chorus of folks requesting an official release supporting SRI. Happy to help if necessary. Thanks so much!

@writercoder
Copy link

Hi, I believe this changes is needed for PCI v4 compliance in March 2025. I'm really happy with this library but I will have to look elsewhere if I can't implement SRI in good time for this deadline.

@VitalyEmelyanov
Copy link

Hello, are there any updates on this story? I think it's quite needed feature, would be nice to see it in the official release.

@douglasmiller
Copy link

@ElMassimo, I would really like to be able to make use of SRI with this package as it is a PCI requirement. Could you please provide the community with a roadmap for making this capability available with this gem?

@ElMassimo
Copy link
Owner

ElMassimo commented Jan 15, 2025

This library intends to integrate Vite into Ruby projects, but adding features on top of what Vite offers out of the box is out of scope.

Vite does not yet offer built-in support for SRI:

There's an example implementation for SRI in 4.0.0.alpha1 lives in the next branch, which is "ready".

There are a few factors that make me unlikely to move forward with that:

  • Vite might add support for SRI in the near future
  • Vite could change its manifest format in a way that is incompatible with the extensions in vite-plugin-manifest-sri
  • I don't have a personal incentive to add this feature, as I'm not using it in any of the projects that I work on
  • More users using SRI through my plugins would increase the amount of messages and issues I get about "SRI not working in my app"

Unless #2377 is resolved one way or another and there's new information to evaluate, please refrain from commenting on this issue.

@ElMassimo ElMassimo removed the planned: 4.0 To be released in 4.0 label Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

10 participants