Fixing Subresource Integrity Hashes

sstelfox · March 11, 2021, 10:16pm

I began adding subresource integrity and ran into an issue. The sample found in
the documentation does not produce a valid subresource integrity hash:

<script src="{{ get_url(path="js/app.js") }}" integrity="sha384-{{ get_file_hash(path="js/app.js", sha_type=384) }}"></script>

This check is failing as the get_file_hash() method is returning a hex-encoded
version of the digest instead of a base64 encoded version as defined in the
official spec and MDN.

I haven’t contributed to Zola before, but happy to open a PR with a fix and
update the documentation. The way I see it there are a couple of different
paths to getting to a point where valid integrity hashes could be generated.

The most flexible would likely to be to add two more built-in filters
hex_encode and hex_decode to match the existing base64_encode and
base64_decode. This doesn’t change any existing usage, and is potentially
useful for other things. An updated integrity attribute can be generated like
this:

<script src="{{ get_url(path="js/app.js") }}" integrity="sha384-{{ get_file_hash(path="js/app.js", sha_type=384) | hex_decode | base64_encode }}"></script>

Not very ergonomic but it does work. The next reasonable option would be to add
another optional argument to the existing get_file_hash() method such as
encoding allowing you to specify a base64 encoding instead of a hex decoding.
The resulting usage would look something like the following:

<script src="{{ get_url(path="js/app.js") }}" integrity="sha384-{{ get_file_hash(path="js/app.js", sha_type=384, encoding=base64) }}"></script>

This seems like a relatively small change and shouldn’t have any impact on any
existing usage as long as encoding defaults to hex. The last idea is the most
ergonomic from a user’s perspective, use a dedicated helper for generating the
integrity string. I suspect this falls foul of keeping the feature set minimal,
but wanted to include it as an option anyway. Effectively this would behave the
same way as the existing get_file_hash but properly format the result
specifically for an integrity attribute:

<script src="{{ get_url(path="js/app.js") }}" integrity="{{ get_file_integrity(path="js/app.js", sha_type=384) }}"></script>

All of those options seem like they would be quite quick to implement, and easy
enough to update the documentation at the same time. What direction seems most
appropriate?

keats · March 12, 2021, 7:19am

This is already fixed in 0.14: Next version by Keats · Pull Request #1293 · getzola/zola · GitHub

sstelfox · March 12, 2021, 2:25pm

Oh awesome. I couldn’t find that when I searched. Glad to see it’s already been tackled!

Topic		Replies	Views
Hash-ification of filenames of some static resources Feature requests	7	954	November 27, 2020
A global function for loading resources to base64-encoded data URLs Feature requests	5	647	November 18, 2022
Thoughts about asset prossessing Feature requests	2	1014	December 3, 2020
Using git revision as cache key Support	1	142	December 17, 2023
Zola 0.15 .md shortcode stopped working Support	7	405	December 7, 2021

Fixing Subresource Integrity Hashes

Related topics