8000 [AssetMapper] Add integrity metadata to importmaps by MatTheCat · Pull Request #60378 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[AssetMapper] Add integrity metadata to importmaps #60378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. 8000 We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 7.3
Choose a base branch
from
Open

[AssetMapper] Add integrity metadata to importmaps #60378

wants to merge 1 commit into from

Conversation

MatTheCat
Copy link
Contributor
@MatTheCat MatTheCat commented May 7, 2025
edited
Loading
Q A
Branch? 7.3
Bug fix? no
New feature? yes
Deprecations? no
Issues Fix #60362
License MIT

Takes over #5 8000 8722 because I missed it existed..!

@carsonbot carsonbot added this to the 7.3 milestone May 7, 2025
@MatTheCat MatTheCat force-pushed the ticket_60362 branch 2 times, most recently from 37d5d36 to 4648474 Compare May 13, 2025 12:22
@smnandre
Copy link
Member

If you want to check, started some work was done here #58722

(and was waiting for people to step in and help, so really glad you did here 👍 )

smnandre
smnandre reviewed May 16, 2025
View reviewed changes
src/Symfony/Component/AssetMapper/Factory/MappedAssetFactory.php
@@ -25,6 +26,7 @@ class MappedAssetFactory implements MappedAssetFactoryInterface
{
private const PREDIGESTED_REGEX = '/-([0-9a-zA-Z]{7,128}\.digested)/';
private const PUBLIC_DIGEST_LENGTH = 7;
private const INTEGRITY_HASH_ALGORITHMS = ['sha256', 'sha384', 'sha512'];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to other 8000 s. Learn more.

Do we really need multiple algorithms ?

Copy link
Contributor Author
@MatTheCat MatTheCat May 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so: it’s required to support https://w3c.github.io/webappsec-subresource-integrity/#agility, and people apparently don’t agree on what the default algorithm should be.

smnandre
smnandre reviewed May 16, 2025
View reviewed changes
src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php Outdated
->info('Array of algorithms used to compute importmap resources integrity.')
->beforeNormalization()->castToArray()->end()
->prototype('scalar')->end()
->defaultValue(['sha384'])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
->defaultValue(['sha384'])
->defaultNull()

This would be a BC break imho.

But it will also slow down the build time / memory usage.. so I do not think this is something that should be enabled per default (like cors)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense; guess the recipe would be a good place to put this default then?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smnandre smnandre smnandre left review comments

Assignees
No one assigned
Labels
AssetMapper Feature Status: Needs Review
Projects
None yet
Milestone
7.3
Development

Successfully merging this pull request may close these issues.

[AssetMapper] Add integrity hashes to import maps
3 participants
@MatTheCat @smnandre @carsonbot
0