[AssetMapper] Add integrity metadata to importmaps #60378
Conversation
37d5d36 to
4648474
Compare
|
If you want to check, started some work was done here #58722 (and was waiting for people to step in and help, so really glad you did here 👍 ) |
| @@ -25,6 +26,7 @@ class MappedAssetFactory implements MappedAssetFactoryInterface | |||
| { | |||
| private const PREDIGESTED_REGEX = '/-([0-9a-zA-Z]{7,128}\.digested)/'; | |||
| private const PUBLIC_DIGEST_LENGTH = 7; | |||
| private const INTEGRITY_HASH_ALGORITHMS = ['sha256', 'sha384', 'sha512']; | |||
There was a problem hiding this comment.
Do we really need multiple algorithms ?
There was a problem hiding this comment.
I think so: it’s required to support https://w3c.github.io/webappsec-subresource-integrity/#agility, and people apparently don’t agree on what the default algorithm should be.
| ->info('Array of algorithms used to compute importmap resources integrity.') | ||
| ->beforeNormalization()->castToArray()->end() | ||
| ->prototype('scalar')->end() | ||
| ->defaultValue(['sha384']) |
There was a problem hiding this comment.
| ->defaultValue(['sha384']) | |
| ->defaultNull() |
This would be a BC break imho.
But it will also slow down the build time / memory usage.. so I do not think this is something that should be enabled per default (like cors)
There was a problem hiding this comment.
Makes sense; guess the recipe would be a good place to put this default then?
365d76d to
f401b42
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
| @@ -25,6 +26,7 @@ class MappedAssetFactory implements MappedAssetFactoryInterface | |||
| { | |||
| private const PREDIGESTED_REGEX = '/-([0-9a-zA-Z]{7,128}\.digested)/'; | |||
| private const PUBLIC_DIGEST_LENGTH = 7; | |||
| private const INTEGRITY_HASH_ALGORITHMS = ['sha256', 'sha384', 'sha512']; | |||
There was a problem hiding this comment.
These names are actually both the integrity prefix and the algorithm. For now they all match so as the list is private I guess we'll update it to a map if needed.
9fd9f8a to
4d298bf
Compare
f2d138f to
46efd35
Compare
| @@ -52,6 +52,7 @@ public function __construct( | |||
| private array $dependencies = [], | |||
| private array $fileDependencies = [], | |||
| private array $javaScriptImports = [], | |||
| public ?string $integrity = null, | |||
There was a problem hiding this comment.
If possible i would make it readonly as the digest ere.. so not a ppp
There was a problem hiding this comment.
Made it readonly, but why not a ppp?
| ->arrayNode('importmap_integrity_algorithms') | ||
| ->info('Array of algorithms used to compute importmap resources integrity.') | ||
| ->beforeNormalization()->castToArray()->end() | ||
| ->prototype('scalar')->end() | ||
| ->defaultValue([]) | ||
| ->end() |
There was a problem hiding this comment.
I would clearly state all of them will be executed for every asset, not just the first one or anything.
This may have a sensible impact on time and energy used on CI or deployment.
There was a problem hiding this comment.
Would a second They will all run for every asset. sentence be clear enough? Or how would you document it?
9f28569 to
33b4561
Compare
Takes over #58722 because I missed it existed..!