Grav: [suggestion] add subresource integrity to webpack assets engine

Created on 18 Apr 2018 · 4Comments · Source: getgrav/grav

Hi there!

For better security when using CDN, it could be nice to add subresource integrity to webpack Grav assets engine.

Simplest way that would not break actual the assets engine:

Add two parameters to Grav assets method:

integrity
crossorigin

To be able to render out:

<script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>

Users could easily fill those new params from twig.

What's your input on this?

enhancement question

Source

jimblue

Most helpful comment

This refactor was done as part of 1.6. It’s available on the current RC release.

rhukster on 31 Mar 2019

🎉1 👍1

All 4 comments

You can already pass 'attributes' to the js() output function like this:

{{ js('cdn_group', {integrity:'sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC',  crossorigin='anonymous'}) }}

Not tested but should work.

The ability to arbitrarily pass attributes to addJs() function would be a better solution, but really this Assets class would need a complete rewrite in order to handle that. Maybe something better suited for Grav 2.0

rhukster on 19 Apr 2018

Because assets could have a different integrity hash, I agree with: the ability to arbitrarily pass attributes to addJs() function would be a better solution.

Revamp Assets class 👍 (other issue need that too #1893)

Maybe a Milestone or a Project could be a good place to keep things organised about Grav2.0 and this kind of specific feature?

I would be happy to help you organise issues if it's usefull for Grav dev.

Good luck @ work and tks again for your amazing job on Grav. (1386 issues closed, that's crazy 💯 !!!!!)

jimblue on 19 Apr 2018

👍2

This function would be very useful.