Add experimental support for SRI

josh · josh · commit 86fa5dc2bcc2 · 2015-02-08T13:21:11.000-08:00
diff --git a/README.md b/README.md
@@ -128,6 +128,17 @@ The following plugins provide some extras for the Sprockets Asset Pipeline.
 * `config.assets.manifest` (if used) must now include the manifest filename, e.g. `Rails.root.join('config/manifest.json')`. It cannot be a directory.
 * Two cleanup tasks. `rake assets:clean` is now a safe cleanup that only removes older assets that are no longer used. While `rake assets:clobber` nukes the entire `public/assets` directory and clears your filesystem cache. The clean task allows for rolling deploys that may still be linking to an old asset while the new assets are being built.
 
+## Experimental
+
+### [SRI](http://www.w3.org/TR/SRI/) support
+
+Sprockets 3.x adds experimental support for subresource integrity checks. The spec is still evolving and the API may change in backwards incompatible ways.
+
+``` ruby
+javascript_include_tag :application, integrity: true
+# => "<script src="/assets/application.js" integrity="ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"></script>"
+```
+
 
 ## Contributing
 
diff --git a/lib/sprockets/rails/helper.rb b/lib/sprockets/rails/helper.rb
@@ -89,12 +89,45 @@ def asset_digest_path(path, options = {})
         end
       end
 
+      # Experimental: Get integrity for asset path.
+      #
+      # path    - String path
+      # options - Hash options
+      #
+      # Returns String integrity attribute or nil if no asset was found.
+      def asset_integrity(path, options = {})
+        path = path.to_s
+        if extname = compute_asset_extname(path, options)
+          path = "#{path}#{extname}"
+        end
+
+        if manifest = assets_manifest
+          if digest_path = manifest.assets[path]
+            if metadata = manifest.files[digest_path]
+              return metadata["integrity"]
+            end
+          end
+        end
+
+        if environment = assets_environment
+          if asset = environment[path]
+            return asset.integrity
+          end
+        end
+
+        nil
+      end
+
       # Override javascript tag helper to provide debugging support.
       #
       # Eventually will be deprecated and replaced by source maps.
       def javascript_include_tag(*sources)
         options = sources.extract_options!.stringify_keys
 
+        if options["integrity"] == true
+          compute_integrity = options.delete("integrity")
+        end
+
         if options["debug"] != false && request_debug_assets?
           sources.map { |source|
             if asset = lookup_asset_for_path(source, :type => :javascript)
@@ -106,8 +139,11 @@ def javascript_include_tag(*sources)
             end
           }.flatten.uniq.join("\n").html_safe
         else
-          sources.push(options)
-          super(*sources)
+          sources.map { |source|
+            super(source, compute_integrity ?
+              options.merge("integrity" => asset_integrity(source, :type => :javascript)) :
+              options)
+          }.join("\n").html_safe
         end
       end
 
@@ -116,6 +152,11 @@ def javascript_include_tag(*sources)
       # Eventually will be deprecated and replaced by source maps.
       def stylesheet_link_tag(*sources)
         options = sources.extract_options!.stringify_keys
+
+        if options["integrity"] == true
+          compute_integrity = options.delete("integrity")
+        end
+
         if options["debug"] != false && request_debug_assets?
           sources.map { |source|
             if asset = lookup_asset_for_path(source, :type => :stylesheet)
@@ -127,8 +168,11 @@ def stylesheet_link_tag(*sources)
             end
           }.flatten.uniq.join("\n").html_safe
         else
-          sources.push(options)
-          super(*sources)
+          sources.map { |source|
+            super(source, compute_integrity ?
+              options.merge("integrity" => asset_integrity(source, :type => :stylesheet)) :
+              options)
+          }.join("\n").html_safe
         end
       end
 
diff --git a/test/fixtures/bar.js b/test/fixtures/bar.js
@@ -1 +1,2 @@
 //= require foo
+var Bar;
diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -49,6 +49,11 @@ def setup
   def test_truth
   end
 
+  def test_foo_and_bar_different_digests
+    refute_equal @foo_js_digest, @bar_js_digest
+    refute_equal @foo_css_digest, @bar_css_digest
+  end
+
   def assert_servable_asset_url(url)
     path, query = url.split("?", 2)
     path = path.sub(@view.assets_prefix, "")
@@ -115,6 +120,22 @@ def test_stylesheet_link_tag
       @view.stylesheet_link_tag("print", :media => "<hax>")
   end
 
+  def test_javascript_include_tag_integrity
+    assert_dom_equal %(<script src="/javascripts/static.js" integrity="ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"></script>),
+      @view.javascript_include_tag("static", integrity: "ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript")
+
+    assert_dom_equal %(<script src="/javascripts/static.js"></script>),
+      @view.javascript_include_tag("static", integrity: true)
+  end
+
+  def test_stylesheet_link_tag_integrity
+    assert_dom_equal %(<link href="/stylesheets/static.css" media="screen" rel="stylesheet" integrity="ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css" />),
+      @view.stylesheet_link_tag("static", integrity: "ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css")
+
+    assert_dom_equal %(<link href="/stylesheets/static.css" media="screen" rel="stylesheet" />),
+      @view.stylesheet_link_tag("static", integrity: true)
+  end
+
   def test_javascript_path
     assert_equal "/javascripts/xmlhr.js", @view.javascript_path("xmlhr")
     assert_equal "/javascripts/xmlhr.js", @view.javascript_path("xmlhr.js")
@@ -266,6 +287,9 @@ def test_javascript_include_tag
     assert_dom_equal %(<script src="/assets/foo-#{@foo_js_digest}.js"></script>),
       @view.javascript_include_tag(:foo)
 
+    assert_dom_equal %(<script src="/assets/foo-#{@foo_js_digest}.js"></script>\n<script src="/assets/bar-#{@bar_js_digest}.js"></script>),
+      @view.javascript_include_tag(:foo, :bar)
+
     assert_servable_asset_url "/assets/foo-#{@foo_js_digest}.js"
   end
 
@@ -279,9 +303,40 @@ def test_stylesheet_link_tag
     assert_dom_equal %(<link href="/assets/foo-#{@foo_css_digest}.css" media="screen" rel="stylesheet" />),
       @view.stylesheet_link_tag(:foo)
 
+    assert_dom_equal %(<link href="/assets/foo-#{@foo_css_digest}.css" media="screen" rel="stylesheet" />\n<link href="/assets/bar-#{@bar_css_digest}.css" media="screen" rel="stylesheet" />),
+      @view.stylesheet_link_tag(:foo, :bar)
+
     assert_servable_asset_url "/assets/foo-#{@foo_css_digest}.css"
   end
 
+  def test_javascript_include_tag_integrity
+    super
+
+    assert_dom_equal %(<script src="/assets/foo-#{@foo_js_digest}.js" integrity="ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"></script>),
+      @view.javascript_include_tag("foo", integrity: true)
+    assert_dom_equal %(<script src="/assets/foo-#{@foo_js_digest}.js" integrity="ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"></script>),
+      @view.javascript_include_tag("foo.js", integrity: true)
+    assert_dom_equal %(<script src="/assets/foo-#{@foo_js_digest}.js" integrity="ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"></script>),
+      @view.javascript_include_tag(:foo, integrity: true)
+
+    assert_dom_equal %(<script src="/assets/foo-#{@foo_js_digest}.js" integrity="ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"></script>\n<script src="/assets/bar-#{@bar_js_digest}.js" integrity="ni:///sha-256;g0JYFeYSYGXe376R0JrRzS6CpYpC1HiqtwBsVt_XAWU?ct=application/javascript"></script>),
+      @view.javascript_include_tag(:foo, :bar, integrity: true)
+  end
+
+  def test_stylesheet_link_tag_integrity
+    super
+
+    assert_dom_equal %(<link href="/assets/foo-#{@foo_css_digest}.css" media="screen" rel="stylesheet" integrity="ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css" />),
+      @view.stylesheet_link_tag("foo", integrity: true)
+    assert_dom_equal %(<link href="/assets/foo-#{@foo_css_digest}.css" media="screen" rel="stylesheet" integrity="ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css" />),
+      @view.stylesheet_link_tag("foo.css", integrity: true)
+    assert_dom_equal %(<link href="/assets/foo-#{@foo_css_digest}.css" media="screen" rel="stylesheet" integrity="ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css" />),
+      @view.stylesheet_link_tag(:foo, integrity: true)
+
+    assert_dom_equal %(<link href="/assets/foo-#{@foo_css_digest}.css" media="screen" rel="stylesheet" integrity="ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css" />\n<link href="/assets/bar-#{@bar_css_digest}.css" media="screen" rel="stylesheet" integrity="ni:///sha-256;Vd370-VAW4D96CVpZcjFLXyeHoagI0VHwofmzRXetuE?ct=text/css" />),
+      @view.stylesheet_link_tag(:foo, :bar, integrity: true)
+  end
+
   def test_javascript_path
     super
 
@@ -437,6 +492,13 @@ def setup
     @manifest.assets["foo.js"] = "foo-#{@foo_js_digest}.js"
     @manifest.assets["foo.css"] = "foo-#{@foo_css_digest}.css"
 
+    @manifest.files["foo-#{@foo_js_digest}.js"] = {
+      "integrity" => "ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"
+    }
+    @manifest.files["foo-#{@foo_css_digest}.css"] = {
+      "integrity" => "ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css"
+    }
+
     @view.digest_assets = true
     @view.assets_environment = nil
     @view.assets_manifest = @manifest
@@ -464,6 +526,28 @@ def test_stylesheet_link_tag
       @view.stylesheet_link_tag(:foo)
   end
 
+  def test_javascript_include_tag_integrity
+    super
+
+    assert_dom_equal %(<script src="/assets/foo-#{@foo_js_digest}.js" integrity="ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"></script>),
+      @view.javascript_include_tag("foo", integrity: true)
+    assert_dom_equal %(<script src="/assets/foo-#{@foo_js_digest}.js" integrity="ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"></script>),
+      @view.javascript_include_tag("foo.js", integrity: true)
+    assert_dom_equal %(<script src="/assets/foo-#{@foo_js_digest}.js" integrity="ni:///sha-256;TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs?ct=application/javascript"></script>),
+      @view.javascript_include_tag(:foo, integrity: true)
+  end
+
+  def test_stylesheet_link_tag_integrity
+    super
+
+    assert_dom_equal %(<link href="/assets/foo-#{@foo_css_digest}.css" media="screen" rel="stylesheet" integrity="ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css" />),
+      @view.stylesheet_link_tag("foo", integrity: true)
+    assert_dom_equal %(<link href="/assets/foo-#{@foo_css_digest}.css" media="screen" rel="stylesheet" integrity="ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css" />),
+      @view.stylesheet_link_tag("foo.css", integrity: true)
+    assert_dom_equal %(<link href="/assets/foo-#{@foo_css_digest}.css" media="screen" rel="stylesheet" integrity="ni:///sha-256;5YzTQPuOJz_EpeXfN_-v1sxsjAj_dw8q26abiHZM3A4?ct=text/css" />),
+      @view.stylesheet_link_tag(:foo, integrity: true)
+  end
+
   def test_javascript_path
     super
 
@@ -492,6 +576,12 @@ def setup
 
     @view.debug_assets = true
   end
+
+  def test_javascript_include_tag_integrity
+  end
+
+  def test_stylesheet_link_tag_integrity
+  end
 end
 
 class AssetUrlHelperLinksTarget < HelperTest
