Merge pull request #3 from S1SYPHOS/Fixing-#2

Add user-defined hash algorithms & CORS-settings
Pimp README

README.md

@@ -1,60 +1,69 @@
 # kirby-sri
-This plugin generates base64-encoded cryptographic hashes for your css / js files based on their content and adds them to the `integrity` attribute of their corresponding `<script>` or `<link>` elements.
+This plugin generates base64-encoded cryptographic hashes for your css / js files based on their content and adds them to the `integrity` attribute of their corresponding `<link>` or `<script>` elements. It also applies [cache-busting / fingerprinting](#cache-busting--fingerprinting).
 
-`kirby-sri` also applies [cache-busting / fingerprinting](#cache-busting--fingerprinting).
-
-![screenshot of the kirby-sri plugin](screenshot.png)
+**Table of contents**
+- [1. What's SRI?](#whats-sri)
+- [2. Getting started](#getting-started)
+- [3. Configuration](#configuration)
+- [4. Cachebusting / fingerprinting](#cache-busting--fingerprinting)
+- [5. Be safe - use protection!](#be-safe---use-protection)
+- [6. Credits / License](#credits--license)
 
 ## What's SRI?
 > Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.
 > [Mozilla Developer Network](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)
 
 Enter `kirby-sri`: Kirby-side generated SRI hashes for [safer CDN usage](https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/). Read more about CDN integration and Kirby in the [docs](https://getkirby.com/docs/cookbook/kirby-loves-cdn)) or over at Kirby's partner [KeyCDN](https://www.keycdn.com/support/kirby-cdn-integration/) to get started.
 
-**This plugin only provides hash generation. For usage with CDNs, refer to Kirby's official [`cdn-plugin`](https://github.com/getkirby-plugins/cdn-plugin)!**
+![screenshot of the kirby-sri plugin](screenshot.png)
 
-## Installation
+**This plugin only provides hash generation.** For usage with CDNs, refer to Kirby's official [`cdn-plugin`](https://github.com/getkirby-plugins/cdn-plugin)!
+
+## Getting started
 Use one of the following methods to install & use `kirby-sri`:
 
-### 1. Git Submodule
+### Git submodule
 
 If you know your way around Git, you can download this plugin as a [submodule](https://github.com/blog/2104-working-with-submodules):
 
 ```text
 git submodule add https://github.com/S1SYPHOS/kirby-sri.git site/plugins/kirby-sri
 ```
 
-### 2. Clone or download
+### Clone or download
 
 1. [Clone](https://github.com/S1SYPHOS/kirby-sri.git) or [download](https://github.com/S1SYPHOS/kirby-sri/archive/master.zip)  this repository.
 2. Unzip / Move the folder to `site/plugins`.
 
-### 3. Activate the plugin
+### Activate the plugin
 Activate the plugin with the following line in your `config.php`:
 
 ```text
 c::set('sri-hash', true);
 ```
 
-Kirby's built-in helper functions `css()` and `js()` will now include the `integrity` attribute alongside a matching SRI hash.
+Kirby's built-in helper functions `css()` and `js()` will now include an `integrity` attribute alongside the matching SRI hash. If you want to activate `sri-hash` only on specific domains, read about [multi-environment setups](https://getkirby.com/docs/developer-guide/configuration/options).
 
-**Always use https:// URLs when loading subresources from a CDN, otherwise they might get blocked:**
+## Configuration
+Change `kirby-sri` options to suit your needs:
 
-> Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.
-> [Google Developers](https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content)
+| Option | Type | Default | Description |
+| --- | --- | --- | --- |
+| `sri-hash.algorithm` | String | `sha512` | Defines the cryptographic [hash algorithm](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) (currently the allowed prefixes are `sha256`, `sha384` and `sha512`). |
+| `sri-hash.use-credentials` | Boolean | `false` | Sets [crossorigin attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_settings_attributes) to `use-credentials` instead of `anonymous`. |
 
 ## Cache-busting / Fingerprinting
 [Same old, same old](https://www.keycdn.com/support/what-is-cache-busting/). If anyone comes up with a solution how subresource integrity and cache-busting / fingerprinting could be achieved by different plugins (as all of them modify Kirby's built-in helper functions `css()` and `js()`), feel free to open a PR! Otherwise, follow the next steps:
 
-### 1. Apache
+### Apache
 If you're using [Apache](http://httpd.apache.org/) as your webserver, add the following lines to your `.htaccess` (right after `RewriteBase`):
 
 ```text
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^(.+)\.([0-9]{10})\.(js|css)$ $1.$3 [L]
 ```
 
-### 2. NGINX
+### NGINX
 If you're using [NGINX](https://nginx.org/en/) as your webserver, add the following lines to your virtual host setup:
 
 ```text
@@ -65,9 +74,15 @@ location /assets {
 }
 ```
 
-**Note: Subresource integrity & cache-busting are not applied to external URLs!**
+**Note: SRI hash generation & cache-busting are not applied to external URLs!**
+
+## Be safe - use protection!
+**Always use https:// URLs** when loading subresources from a CDN, otherwise they might get blocked:
+
+> Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.
+> [Google Developers](https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content)
 
-## Credits
+## Credits / License
 `kirby-sri` was inspired by Kirby plugins [cachebuster](https://github.com/getkirby-plugins/cachebuster-plugin) (by Kirby team members [Bastian Allgeier](https://github.com/bastianallgeier) and [Lukas Bestle](https://github.com/lukasbestle)) as well as [fingerprint](https://github.com/iksi/kirby-fingerprint) (by [Iksi](https://github.com/iksi)). It is licensed under the [MIT License](LICENSE), but **using Kirby in production** requires you to [buy a license](https://getkirby.com/buy). Are you ready for the [next step](https://getkirby.com/next)?
 
 ## Special Thanks

core/css.php

@@ -4,6 +4,7 @@
 
 use Asset;
 use f;
+use c;
 use html;
 
 class CSS extends \Kirby\Component\CSS {
@@ -38,7 +39,7 @@ public function tag($url, $media = null) {
     if (file_exists($url)) {
       // generate sri hash for css files
       $cssInput = (new Asset($url))->content();
-      $cssIntegrity = checksum($cssInput);
+      $cssIntegrity = sri_checksum($cssInput);
 
       // add timestamp for cache-busting
       $modified = filemtime($url);
@@ -52,7 +53,7 @@ public function tag($url, $media = null) {
       'rel'  => 'stylesheet',
       'href' => url($url),
       'integrity' => $cssIntegrity, // inject generated sri hash
-      'crossorigin' => 'anonymous'
+      'crossorigin' => c::get('sri-hash.use-credentials') ? 'use-credentials' : 'anonymous' // set user-defined 'crossorigin' attribute
     );
 
     if(is_array($media)) {

core/js.php

@@ -4,6 +4,7 @@
 
 use Asset;
 use f;
+use c;
 use html;
 
 class JS extends \Kirby\Component\JS {
@@ -38,7 +39,7 @@ public function tag($src, $async = false) {
     if (file_exists($src)) {
       // generate sri hash for css files
       $jsInput = (new Asset($src))->content();
-      $jsIntegrity = checksum($jsInput);
+      $jsIntegrity = sri_checksum($jsInput);
 
       // add timestamp for cache-busting
       $modified = filemtime($src);
@@ -51,7 +52,7 @@ public function tag($src, $async = false) {
     $attr = array(
       'src' => url($src),
       'integrity' => $jsIntegrity, // inject generated sri hash
-      'crossorigin' => 'anonymous'
+      'crossorigin' => c::get('sri-hash.use-credentials') ? 'use-credentials' : 'anonymous' // set user-defined 'crossorigin' attribute
     );
 
     if(is_array($async)) {

kirby-sri.php

@@ -3,17 +3,18 @@
 /**
  * Adding SRI Hash to css & js files and cache-busting them
  *
- * @version 0.1.0
+ * @version 0.3.0
  * @author S1SYPHOS <[email protected]>
  */
 
 if(!c::get('sri-hash')) return;
 
-function checksum($input) {
-  $hash = hash('sha512', $input, true);
+function sri_checksum($input) {
+  $algorithm = c::get('sri-hash.algorithm') ? c::get('sri-hash.algorithm') : 'sha512';
+  $hash = hash($algorithm, $input, true);
   $hash_base64 = base64_encode($hash);
 
-  return "sha512-$hash_base64";
+  return "$algorithm-$hash_base64";
 }
 
 load([

package.json

@@ -2,7 +2,7 @@
   "name": "sri-hash",
   "description": "Kirby SRI Hash & Cache-bust Plugin",
   "author": "S1SYPHOS <[email protected]>",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "type": "kirby-plugin",
   "license": "MIT"
 }