Home

Awesome

Ember-cli-sri

build status npm status dependency status

What is it

This plugin is used to generate Subresource Integrity (SRI) hashes for ember applications. Subresource integrity is a security concept used to check JavaScript and stylesheets are loaded with the correct content when using a CDN.

Why

The reason to add this to your application is to protect against poisoned CDNs breaking JavaScript or CSS subresources.

Installation

Configure

In Brocfile.js or ember-cli-build.js:

var app = new EmberApp({
});

Or:

var app = new EmberApp({
  SRI: {
    crossorigin: 'anonymous'
  },
  fingerprint: {
    prepend: 'https://subdomain.cloudfront.net/'
  }
});

Or:

var app = new EmberApp({
  origin: 'https://subdomain.cloudfront.net/',
  fingerprint: {
    prepend: 'https://subdomain.cloudfront.net/'
  }
});

Options

Example output

<script src="https://example.com/thing-5e1978f9cfa158d9841d7b6d8a4e5c57.js" integrity="sha256-oFeuE/P+XJMjkMS5pAPudQOMGJQ323nQt+DQ+9zbdAg= sha512-+EXjzt0I7g6BjvqqjkkboGyRlFSfIuyzY2SQ43HQKZBrHsjmRzEdjSHhiDzVs30nXL9H0tKw6WbMPc6RfzUumQ==" crossorigin="anonymous" /></script>
<script src="https://example.com/thing-5e1978f9cfa158d9841d7b6d8a4e5c57.js" crossorigin="use-credentials"  integrity="sha256-oFeuE/P+XJMjkMS5pAPudQOMGJQ323nQt+DQ+9zbdAg= sha512-+EXjzt0I7g6BjvqqjkkboGyRlFSfIuyzY2SQ43HQKZBrHsjmRzEdjSHhiDzVs30nXL9H0tKw6WbMPc6RfzUumQ=="/></script>
<script src="unicode-chars.js" integrity="sha256-TH5eRuwfOSKZE0EKVF4WZ6gVQ/zUch4CZE2knqpS4MU= sha512-eANuTl8NOQEa4/zm44zxX6g7ffwf6NXftA2sv4ZiQURnJsfJkUnYP8XpN2XVVZee4SjB32i28WM6trs9HVgQmA=="/></script>

Fail safe

This addon should fail safely at all times so resources matching https? need:

If the config is not set correctly it should result in just a lack of SRI protection, which is better than a broken website.

Please file bugs if you find a case when the config doesn't 'fail safe', is not clear or results in a broken page.

Gotchas

Crossorigin attribute

When the request doesn't match Same Origin Policy the crossorigin attribute MUST be present for the integrity of the file to be checked. With an integrity set on an external origin and a missing crossorigin the browser will choose to 'fail-open' which means it will load the resource as if the integrity attribute was not set.

Values:

'Fail-open' vs 'Fail-close'

'paranoiaCheck'

There was an encoding issue based on certain characters when using Chrome, the fix for which landed in Chrome 46. This check fails if there is any non ASCII characters. On failure the file won't have an integrity attribute added. Currently, it defaults to false (i.e. this check is disabled). You can reenable it if you wish to remain compatible with versions of Chrome < 46.

'fingerprintCheck'

If you are fingerprinting your assets and/or prepending a URL (e.g. to your static web server or CDN), you will likely want to disable this check. Otherwise, if your assets include other assets, they will fail the check and the file won't have an integrity attribute added. Currently, it defaults to false (i.e. this check is disabled). You can reenable it for a little extra confidence that the correct files are being hashed, but only if you are not fingerprinting or prepending your assets and have no plans to in the future.

Browser support

Notes:

Running Tests