-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Subresource Integrity #176
Comments
This comment has been minimized.
This comment has been minimized.
@tmaier Given that this requires changes to public APIs in Experimental support is available in the next branch, you can try it now by explicitly adding gem 'vite_rails', '~> 4.0.0.alpha1' You must also add vite-plugin-manifest-sri to your import { defineConfig } from 'vite'
import RubyPlugin from 'vite-plugin-ruby'
import ManifestSRI from 'vite-plugin-manifest-sri'
export default defineConfig({
plugins: [
RubyPlugin(),
ManifestSRI(),
],
}) |
@ElMassimo is this feature still not ready to release? Could be really helpful for security reasons. |
The implementation in
This hasn't been a highly requested feature. I'm waiting for either breaking changes in Vite or something else that justifies releasing a new major. |
Hey @ElMassimo, is it possible to update the I'd like to use the Subresource integrity feature, but also need some of the fixes & features that were introduced in later releases (example) Thanks! |
Hi there! Any news on this feature? Is there something I can do to help? I am working on replacing Webpacker with Vite for Mastodon (see mastodon/mastodon#24981) and SRI is a requirement for us. |
Also curious here ... this feature seems like it's been done for ~2+ years, but hasn't been released yet? Are you still hesitant to ship 4.0 with JUST this? If so, are you open to PRs that try to fold it into 3.x? Separately - are there any other changes queueud up (I see some ruby version support changes in last few months, 3.0 is now EOL, etc...) which might help justify a 4.0? |
Hi @ElMassimo , just wanted to join the chorus of folks requesting an official release supporting SRI. Happy to help if necessary. Thanks so much! |
Hi, I believe this changes is needed for PCI v4 compliance in March 2025. I'm really happy with this library but I will have to look elsewhere if I can't implement SRI in good time for this deadline. |
Hello, are there any updates on this story? I think it's quite needed feature, would be nice to see it in the official release. |
@ElMassimo, I would really like to be able to make use of SRI with this package as it is a PCI requirement. Could you please provide the community with a roadmap for making this capability available with this gem? |
This library intends to integrate Vite into Ruby projects, but adding features on top of what Vite offers out of the box is out of scope. Vite does not yet offer built-in support for SRI: There's an example implementation for SRI in There are a few factors that make me unlikely to move forward with that:
Unless #2377 is resolved one way or another and there's new information to evaluate, please refrain from commenting on this issue. |
Is your feature request related to a problem? Please describe.
Similar to rails/webpacker#323
Sprockets supported subresource integrity out of the box. It would be nice if
worked the same.
Describe the solution you'd like
Calculate the hash for each file and add it to the relevant tags
Describe alternatives you've considered
None.
Additional context
The text was updated successfully, but these errors were encountered: