Safer fix for null integrity

For #97
waysact · Dec 10, 2018 · 22f81a2 · 22f81a2
1 parent cb63461
commit 22f81a2
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -103,6 +103,16 @@ you must set the `Cache-Control: no-transform` response header or your
 page will break when assets are loaded through a transforming
 proxy.  [See below](#proxies) for more information.
 
+### Content Security Policy
+
+Consider adding the following rule to your CSP file:
+
+```Content-Security-Policy: require-sri-for script style;```
+
+It ensures that if, for some reason, this plugin fails to add
+integrity attributes to all your assets, your page will fail to load
+rather than load with unverified assets.
+
 ### Options
 
 #### hashFuncNames

diff --git a/index.js b/index.js
@@ -265,7 +265,7 @@ SubresourceIntegrityPlugin.prototype.processTag =
     var src = this.hwpAssetPath(util.getTagSrc(tag));
     /* eslint-disable no-param-reassign */
     var integrity = util.getIntegrityChecksumForAsset(compilation.assets, src);
-    if (integrity !== null) {
+    if (!Object.prototype.hasOwnProperty.call(tag.attributes, "integrity")) {
       tag.attributes.integrity = integrity;
       tag.attributes.crossorigin = compilation.compiler.options.output.crossOriginLoading || 'anonymous';
     }