[AssetMapper] Add integrity hash to the default es-module-shims script

smnandre · smnandre · commit 04bfc6c047cb · 2023-12-28T06:54:23.000+01:00
diff --git a/src/Symfony/Component/AssetMapper/ImportMap/ImportMapRenderer.php b/src/Symfony/Component/AssetMapper/ImportMap/ImportMapRenderer.php
@@ -27,7 +27,9 @@
  */
 class ImportMapRenderer
 {
-    private const DEFAULT_ES_MODULE_SHIMS_POLYFILL_URL = 'https://ga.jspm.io/npm:es-module-shims@1.8.0/dist/es-module-shims.js';
+    // https://generator.jspm.io/#S2NnYGAIzSvJLMlJTWEAAMYOgCAOAA
+    private const DEFAULT_ES_MODULE_SHIMS_POLYFILL_URL = 'https://ga.jspm.io/npm:es-module-shims@1.8.2/dist/es-module-shims.js';
+    private const DEFAULT_ES_MODULE_SHIMS_POLYFILL_INTEGRITY = 'sha384-+dzlBT6NPToF0UZu7ZUA6ehxHY8h/TxJOZxzNXKhFD+5He5Hbex+0AIOiSsEaokw';
 
     public function __construct(
         private readonly ImportMapGenerator $importMapGenerator,
@@ -113,11 +115,20 @@ public function render(string|array $entryPoint, array $attributes = []): string
 
         if ($polyFillPath) {
             $url = $this->escapeAttributeValue($polyFillPath);
+            $polyfillAttributes = $scriptAttributes;
+
+            // Add security attributes for the default polyfill hosted on jspm.io
+            if (self::DEFAULT_ES_MODULE_SHIMS_POLYFILL_URL === $polyFillPath) {
+                $polyfillAttributes = $this->createAttributesString([
+                    'crossorigin' => 'anonymous',
+                    'integrity' => self::DEFAULT_ES_MODULE_SHIMS_POLYFILL_INTEGRITY,
+                ] + $attributes);
+            }
 
             $output .= <<<HTML
 
                 <!-- ES Module Shims: Import maps polyfill for modules browsers without import maps support -->
-                <script async src="$url"$scriptAttributes></script>
+                <script async src="$url"$polyfillAttributes></script>
                 HTML;
         }
 
diff --git a/src/Symfony/Component/AssetMapper/Tests/ImportMap/ImportMapRendererTest.php b/src/Symfony/Component/AssetMapper/Tests/ImportMap/ImportMapRendererTest.php
@@ -121,6 +121,7 @@ public function testDefaultPolyfillUsedIfNotInImportmap()
         );
         $html = $renderer->render(['app']);
         $this->assertStringContainsString('<script async src="https://ga.jspm.io/npm:es-module-shims@', $html);
+        $this->assertStringContainsString('es-module-shims.js" crossorigin="anonymous" integrity="sha384-', $html);
     }
 
     public function testCustomScriptAttributes()

Original file line number	Diff line number	Diff line change
`@@ -121,6 +121,7 @@ public function testDefaultPolyfillUsedIfNotInImportmap()`
`121`	`121`	`);`
`122`	`122`	`$html = $renderer->render(['app']);`
`123`	`123`	`$this->assertStringContainsString('<script async src="https://ga.jspm.io/npm:es-module-shims@', $html);`
	`124`	`+ $this->assertStringContainsString('es-module-shims.js" crossorigin="anonymous" integrity="sha384-', $html);`
`124`	`125`	`}`
`125`	`126`
`126`	`127`	`public function testCustomScriptAttributes()`