New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subresource Integrity for App Directory #39729
Merged
Merged
Changes from 16 commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
eda03bd
feat: added sri support for app dir
wyattjoh ae6365d
fix: improve typings
wyattjoh 81f61e5
fix: added check for escape characters
wyattjoh 6dd4ff7
fix: throw instead of unset
wyattjoh 4c4f941
fix: added error page
wyattjoh 674b7bb
fix: language lint
wyattjoh 4f5645c
fix: language lint
wyattjoh aa698af
fix: moved function into closure to avoid typing
wyattjoh 7d0a45d
feat: added tests
wyattjoh 6f89dad
fix: fixed tests
wyattjoh 84f976e
fix: fixed tests
wyattjoh 8596d15
Update test/integration/image-optimizer/test/util.ts
wyattjoh e7e0e37
fix: added support for edge rendering
wyattjoh 00ab8a4
fix: skip SRI tests on development
wyattjoh 436c68a
chore: removed trace file
wyattjoh 4fa75c2
fix: corrected incorrect parameter
wyattjoh 539a352
Merge branch 'canary' into feat/app-dir-sri
kodiakhq[bot] 478cab9
Merge branch 'canary' into feat/app-dir-sri
kodiakhq[bot] File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# nonce contained invalid characters | ||
|
||
#### Why This Error Occurred | ||
|
||
This happens when there is a request that contains a `Content-Security-Policy` | ||
header that contains a `script-src` directive with a nonce value that contains | ||
invalid characters (any one of `<>&` characters). For example: | ||
|
||
- `'nonce-<script />'`: not allowed | ||
- `'nonce-/>script<>'`: not allowed | ||
- `'nonce-PHNjcmlwdCAvPg=='`: allowed | ||
- `'nonce-Lz5zY3JpcHQ8Pg=='`: allowed | ||
|
||
#### Possible Ways to Fix It | ||
|
||
Replace the nonce value with a base64 encoded value. | ||
|
||
### Useful Links | ||
|
||
- [Content Security Policy Sources](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
71 changes: 71 additions & 0 deletions
71
packages/next/build/webpack/plugins/subresource-integrity-plugin.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
import { webpack, sources } from 'next/dist/compiled/webpack/webpack' | ||
import crypto from 'crypto' | ||
import { SUBRESOURCE_INTEGRITY_MANIFEST } from '../../../shared/lib/constants' | ||
|
||
const PLUGIN_NAME = 'SubresourceIntegrityPlugin' | ||
|
||
export type SubresourceIntegrityAlgorithm = 'sha256' | 'sha384' | 'sha512' | ||
|
||
export class SubresourceIntegrityPlugin { | ||
constructor(private readonly algorithm: SubresourceIntegrityAlgorithm) {} | ||
|
||
public apply(compiler: webpack.Compiler) { | ||
compiler.hooks.make.tap(PLUGIN_NAME, (compilation) => { | ||
compilation.hooks.afterOptimizeAssets.tap( | ||
{ | ||
name: PLUGIN_NAME, | ||
stage: webpack.Compilation.PROCESS_ASSETS_STAGE_ADDITIONS, | ||
}, | ||
(assets) => { | ||
// Collect all the entrypoint files. | ||
let files = new Set<string>() | ||
for (const entrypoint of compilation.entrypoints.values()) { | ||
const iterator = entrypoint?.getFiles() | ||
if (!iterator) { | ||
continue | ||
} | ||
|
||
for (const file of iterator) { | ||
files.add(file) | ||
} | ||
} | ||
|
||
// For each file, deduped, calculate the file hash. | ||
const hashes: Record<string, string> = {} | ||
for (const file of files.values()) { | ||
// Get the buffer for the asset. | ||
const asset = assets[file] | ||
if (!asset) { | ||
throw new Error(`could not get asset: ${file}`) | ||
} | ||
|
||
// Get the buffer for the asset. | ||
const buffer = asset.buffer() | ||
|
||
// Create the hash for the content. | ||
const hash = crypto | ||
.createHash(this.algorithm) | ||
.update(buffer) | ||
.digest() | ||
.toString('base64') | ||
|
||
hashes[file] = `${this.algorithm}-${hash}` | ||
} | ||
|
||
const json = JSON.stringify(hashes, null, 2) | ||
const file = 'server/' + SUBRESOURCE_INTEGRITY_MANIFEST | ||
assets[file + '.js'] = new sources.RawSource( | ||
'self.__SUBRESOURCE_INTEGRITY_MANIFEST=' + json | ||
// Work around webpack 4 type of RawSource being used | ||
// TODO: use webpack 5 type by default | ||
) as unknown as webpack.sources.RawSource | ||
assets[file + '.json'] = new sources.RawSource( | ||
json | ||
// Work around webpack 4 type of RawSource being used | ||
// TODO: use webpack 5 type by default | ||
) as unknown as webpack.sources.RawSource | ||
} | ||
) | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this auto-assign? I couldn't find an example in the TypeScript docs for this 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems it does auto-assign with either
readonly
orprivate
👀 TILThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a shorthand that I'd say you should only use if there's only a handful of positional arguments. Shouldn't use if you need to do any other work within the constructor.