Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support subresource integrity hash #1561

Open
jfitzgerald opened this issue Sep 13, 2022 · 1 comment
Open

Support subresource integrity hash #1561

jfitzgerald opened this issue Sep 13, 2022 · 1 comment

Comments

@jfitzgerald
Copy link

Describe the problem

My infosec team is requesting that we load the DocSearch JavaScript with the subresource integrity property. I noticed that the Instantsearch.js files support this, as seen in the code snippet here. However the DocSearch code snippet does not offer the same option.

Describe the solution

I realize that I can generate the hash myself, but that’s not a permanent solution if the source file could change without warning.

Can I use this integrity hash and expect the DocSearch JS file not to change?

script src="https://cdn.jsdelivr.net/npm/@docsearch/js@3" integrity="sha256-9YwDyZ6nUsvEuYEWMqPqiCUZ+3ykeo4PJ+wNy8NTIBM=%"
@colindean
Copy link

Investigating this a bit, with how the jsdelivr CDN works, esp. as recommended in the setup instructions, it's impossible to associate SRI with an imprecise version. Per jsdelivr, https://www.jsdelivr.com/using-sri-with-dynamic-files says:

Do NOT use SRI with:
version aliasing (version ranges) The purpose of version aliasing is getting automatic updates. This obviously means the code can change any time.

The next question is this: what's the danger of pinning to a particular version of the docsearch library?

One way I'm thinking about working around this for my use case, which is a static site, is to retrieve the latest version of the library from the npm registry API:

$ curl -s --header "Accept: application/vnd.npm.install-v1+json" https://registry.npmjs.org/@docsearch/js | \
  jq -r '.["dist-tags"].latest'
3.5.2

Then retrieve the content of jsdelivr's cache at that version and get the SRI hash:

$ curl -s --header "Accept: application/javascript" https://cdn.jsdelivr.net/npm/@docsearch/[email protected]/dist/umd/index.js | \
  shasum -b -a 256 | \
  awk '{ print $1 }' | \
  xxd -r -p | \
  base64
Y1WAhww0aFm/7xcgnD56E3jWSfKlRG9DIB2Tcs8exCQ=

Then, include the output of that in my generated script tag. This would safen the resource, creating only a threat vector at site build time.

Of course, this is a lot if the risk in falling behind docsearch versions is minimal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants