Phoenix: SRI (Sub resource Integrity) using cache_manifest.json

Created on 12 Sep 2017 · 7Comments · Source: phoenixframework/phoenix

Not a bug, but a discussion if this is something you would merge into Phoenix (and if so: how).

Let's start with a small intro. SRI (or Sub resource Integrity: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is a new browser feature intended to make your website a bit safer especially if you use a CDN to serve static content. The idea is that you include a hash for the original script or css inside your script or style tag. The browser will compare the hash with the served file (from the CDN) and reject if there is a mismatch (ie if the CDN has served a tampered file).

The tag should look something like this (I used a script tag, but it also supports style tags):

<script 
  src="/js/app-ca6fe8ab7cb2e1c4a46d511a2d4e877c.js?vsn=d" 
  integrity="sha512-ssOjV24ABrEBpcRVCvdippen4VFEKdhfQEvY1D66K4Wcr/9eTuoS0r8iBitvQymLQ4aYzdW2p4+KGtrd5e61Gg==">
</script>

This got me thinking. As Phoenix already supports the cache_manifest.json file for digested lookups, this could also be used to calculate the sha512 hash. In that case we could create a method similar to static_path/1, say: integrity_hash/1 which could be injected into the html.

Now, I just started looking at the Digester and it's a breeze to add the hash there. We simply add the following key to the digests key.

integrity: "sha512-#{Base.encode64(:crypto.hash(:sha512, content))}"

But here is my first question: The method cache_static_manifest/1 inside supervisor.ex states on line 333:

# TODO v1.4: No longer support old manifests
manifest["latest"] || manifest

Is this to say the old style is the digests key? If so, adding the integrity key to the old-style would probably not be a good idea.

I just wanted to double-check and confirm or deny this, and get some input on what would be the best approach and if this would be of interest in Phoenix core before I got started.

Source

foeken

👍8

Most helpful comment

@foeken any update?

markschultz on 26 Jan 2018

👍2

All 7 comments

I would be 👍 for this change, and it would finally justify the existence of the script_tag helper function in the phoenix_html project since now we can do this by default. If this is something you would like to take on, please send a PR. With respect to the old style, we only need to support the current one.

chrismccord on 13 Sep 2017

🎉1

I will pick it up this weekend. Just as a final check: is it safe to add the integrity hash into the digests key of the manifest or is that the 'old' way?

foeken on 15 Sep 2017

That should be fine. The digests key is the current way.

chrismccord on 19 Sep 2017

👍2

@foeken any update?

markschultz on 26 Jan 2018

👍2

Ping @foeken any process on this one?

chrismccord on 13 Feb 2018

If someone is interested in still working on this one, please let us know and well continue the discussion, but it's not on the plate for the 1.4 release. Thanks!

chrismccord on 13 Feb 2018

It's one thing to generate the sri from phoenix, but in order for this to be enforced, custom headers have to be generated by phoenix right ?
After using two packages for that enabling require-sri-for just gives me a warning in the console that this feature is behind a flag (on chrome 63).
Even generating the sri manually, is there even a way to use the feature currently with phoenix ?
(just asking because I couldn't get it to work)