Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit dc51a2e

Browse filesBrowse files
falsandtruJonathan Ginsburg
falsandtru
authored and
Jonathan Ginsburg
committed
feat: support SRI verification of link tags
1 parent 6a54b1c commit dc51a2e
Copy full SHA for dc51a2e

File tree

Expand file treeCollapse file tree

2 files changed

+22
-7
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

2 files changed

+22
-7
lines changed
Open diff view settings
Collapse file

‎lib/middleware/karma.js‎

Copy file name to clipboardExpand all lines: lib/middleware/karma.js
+4-4Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -182,16 +182,16 @@ function createKarmaMiddleware (
182182
}
183183
}
184184

185+
const integrityAttribute = file.integrity ? ` integrity="${file.integrity}"` : ''
186+
const crossOriginAttribute = includeCrossOriginAttribute ? ' crossorigin="anonymous"' : ''
185187
if (fileType === 'css') {
186-
scriptTags.push(`<link type="text/css" href="${filePath}" rel="stylesheet">`)
188+
scriptTags.push(`<link type="text/css" href="${filePath}" rel="stylesheet"${integrityAttribute}${crossOriginAttribute}>`)
187189
} else if (fileType === 'dom') {
188190
scriptTags.push(file.content)
189191
} else if (fileType === 'html') {
190-
scriptTags.push(`<link href="${filePath}" rel="import">`)
192+
scriptTags.push(`<link href="${filePath}" rel="import"${integrityAttribute}${crossOriginAttribute}>`)
191193
} else {
192194
const scriptType = (SCRIPT_TYPE[fileType] || 'text/javascript')
193-
const crossOriginAttribute = includeCrossOriginAttribute ? ' crossorigin="anonymous"' : ''
194-
const integrityAttribute = file.integrity ? ` integrity="${file.integrity}"` : ''
195195
if (fileType === 'module') {
196196
scriptTags.push(`<script onerror="throw 'Error loading ${filePath}'" type="${scriptType}" src="${filePath}"${integrityAttribute}${crossOriginAttribute}></script>`)
197197
} else {
Collapse file

‎test/unit/middleware/karma.spec.js‎

Copy file name to clipboardExpand all lines: test/unit/middleware/karma.spec.js
+18-3Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -257,7 +257,7 @@ describe('middleware.karma', () => {
257257

258258
response.once('end', () => {
259259
expect(nextSpy).not.to.have.been.called
260-
expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css?sha007" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/second.html?sha678" rel="import">\n<link type="text/css" href="/__proxy__/__karma__/absolute/third?sha111" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/fourth?sha222" rel="import">\n<link type="text/css" href="http://some.url.com/fifth" rel="stylesheet">\n<link href="http://some.url.com/sixth" rel="import">')
260+
expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css?sha007" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/second.html?sha678" rel="import" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/absolute/third?sha111" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/fourth?sha222" rel="import" crossorigin="anonymous">\n<link type="text/css" href="http://some.url.com/fifth" rel="stylesheet" crossorigin="anonymous">\n<link href="http://some.url.com/sixth" rel="import" crossorigin="anonymous">')
261261
done()
262262
})
263263

@@ -293,7 +293,22 @@ describe('middleware.karma', () => {
293293

294294
response.once('end', () => {
295295
expect(nextSpy).not.to.have.been.called
296-
expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/some/abc/a.css?sha1" rel="stylesheet">\n<link type="text/css" href="/__proxy__/__karma__/base/b.css?sha2" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/some/abc/c.html?sha3" rel="import">\n<link href="/__proxy__/__karma__/base/d.html?sha4" rel="import">\n<link type="text/css" href="/__proxy__/__karma__/absolute/some/abc/e?sha5" rel="stylesheet">\n<link type="text/css" href="/__proxy__/__karma__/base/f?sha6" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/some/abc/g?sha7" rel="import">\n<link href="/__proxy__/__karma__/base/h?sha8" rel="import">')
296+
expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/some/abc/a.css?sha1" rel="stylesheet" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/base/b.css?sha2" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/some/abc/c.html?sha3" rel="import" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/base/d.html?sha4" rel="import" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/absolute/some/abc/e?sha5" rel="stylesheet" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/base/f?sha6" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/some/abc/g?sha7" rel="import" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/base/h?sha8" rel="import" crossorigin="anonymous">')
297+
done()
298+
})
299+
300+
callHandlerWith('/__karma__/context.html')
301+
})
302+
303+
it('should serve context.html with link tags with integrity checking', (done) => {
304+
includedFiles([
305+
new MockFile('/first.css', 'sha007', undefined, undefined, 'sha256-XXX'),
306+
new MockFile('/second.html', 'sha678', undefined, undefined, 'sha256-XXX')
307+
])
308+
309+
response.once('end', () => {
310+
expect(nextSpy).not.to.have.been.called
311+
expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css?sha007" rel="stylesheet" integrity="sha256-XXX" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/second.html?sha678" rel="import" integrity="sha256-XXX" crossorigin="anonymous">')
297312
done()
298313
})
299314

@@ -462,7 +477,7 @@ describe('middleware.karma', () => {
462477

463478
response.once('end', () => {
464479
expect(nextSpy).not.to.have.been.called
465-
expect(response).to.beServedAs(200, 'DEBUG\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css" rel="stylesheet">\n<link type="text/css" href="/__proxy__/__karma__/base/b.css" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/second.html" rel="import">\n<link href="/__proxy__/__karma__/base/d.html" rel="import">\n<link type="text/css" href="/__proxy__/__karma__/absolute/third" rel="stylesheet">\n<link type="text/css" href="/__proxy__/__karma__/base/f" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/fourth" rel="import">\n<link href="/__proxy__/__karma__/base/g" rel="import">')
480+
expect(response).to.beServedAs(200, 'DEBUG\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css" rel="stylesheet" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/base/b.css" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/second.html" rel="import" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/base/d.html" rel="import" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/absolute/third" rel="stylesheet" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/base/f" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/fourth" rel="import" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/base/g" rel="import" crossorigin="anonymous">')
466481
done()
467482
})
468483

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.