feat(@angular/build): subresource integrity validation for dynamically loaded modules#33109
Conversation
angular-robot
Bot
added
detected: feature
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces Subresource Integrity (SRI) support for lazy-loaded JavaScript chunks by generating an integrity-only import map within the index HTML. The changes include calculating SHA-384 hashes for browser output files and injecting them into a <script type="importmap"> block. Review feedback suggests refining the integrity map keys by removing hardcoded leading slashes to improve compatibility with various deployment configurations and filtering out initial bundles to avoid redundant metadata. Additionally, updates to the documentation and test suite were recommended to align with these refinements.
I checked if there are any meaning docs regarding SRI but haven't found anything ... Though I don't see a reason to update the docs, as there was no previous documentation of any limitations of SRI and the support now is just more complete. |
|
Thank you for the contribution. It appears that there are several lint and test failures. Can you fix those? And then the team can review. |
|
@clydin ahh yes sorry somehow slipped through been dangling multiple PRs regarding this topic. This should now be fixed. It's passing on my local machine |
IchordeDionysos
force-pushed
the
feat/sub-resource-integrity-support-for-dynamic-chunks
branch
from
816b1a8 to
9f979e9
Compare
|
@clydin just squashed the commits :) |
clydin
left a comment
clydin
left a comment
There was a problem hiding this comment.
Looks like several files are out of format as well.
Thank you for the contribution.
| const integrity = importmap.integrity['/' + file] ?? importmap.integrity[file]; | ||
| if (integrity !== undefined) { | ||
| expect(integrity) | ||
| .withContext('integrity entry for ' + file) | ||
| .toBe(expectedSri); | ||
| } |
There was a problem hiding this comment.
Can you rework the logic for this part of the test? An empty import map will pass here which from the comment does not appear to be the intention.
There was a problem hiding this comment.
Improved the tests here.
| integrity[generateUrl(url, deployUrl)] = integrityHash; | ||
| } | ||
| headerLinkTags.push( | ||
| `<script type="importmap">${JSON.stringify({ integrity })}</script>`, |
There was a problem hiding this comment.
Unlikely to occur but can you escape the < character (\\u003c) from the stringified JSON?
|
|
||
| // Emit an integrity-only import map so the browser can validate lazy chunks | ||
| // resolved via dynamic `import()` (which otherwise carry no SRI metadata). | ||
| // The block is placed first inside `<head>` so it precedes any module |
There was a problem hiding this comment.
headerLinkTags will actually be at the bottom of the <head> since they are appended during the end tag event. Script tags are inserted into the <body> so still after the import map though.
There was a problem hiding this comment.
Unless the rewriter would always fire the base case startTag event when because the base tag is added when missing 🤔
IchordeDionysos
force-pushed
the
feat/sub-resource-integrity-support-for-dynamic-chunks
branch
2 times, most recently
from
7e19b0d to
f6e5a94
Compare
IchordeDionysos
left a comment
IchordeDionysos
left a comment
There was a problem hiding this comment.
Fixed the formatting issues
|
|
||
| // Emit an integrity-only import map so the browser can validate lazy chunks | ||
| // resolved via dynamic `import()` (which otherwise carry no SRI metadata). | ||
| // The block is placed first inside `<head>` so it precedes any module |
| integrity[generateUrl(url, deployUrl)] = integrityHash; | ||
| } | ||
| headerLinkTags.push( | ||
| `<script type="importmap">${JSON.stringify({ integrity })}</script>`, |
|
|
||
| // Emit an integrity-only import map so the browser can validate lazy chunks | ||
| // resolved via dynamic `import()` (which otherwise carry no SRI metadata). | ||
| // The block is placed first inside `<head>` so it precedes any module |
There was a problem hiding this comment.
Unless the rewriter would always fire the base case startTag event when because the base tag is added when missing 🤔
…y loaded modules Adds support for verifying the integrity of dynamically loaded sub-resources by generating and pre-pending an import map with integrity hashes in the index.html Closes angular#30724 Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> style: Fix lint issues test: Fix missing lazy modules resulting in test failures test: Adjust test to validate more specific assumptions fix: Escape < in generated importmap JSON style: fix all formatting issues in angular-build refactor: Inject importmap after base tag
IchordeDionysos
force-pushed
the
feat/sub-resource-integrity-support-for-dynamic-chunks
branch
from
f6e5a94 to
bc88ad9
Compare
2 participants
Adds support for verifying the integrity of dynamically loaded sub-resources by generating and pre-pending an import map with integrity hashes in the index.html
Closes #30724
PR Checklist
Please check to confirm your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Currently, no integrity checks are done for dynamically loaded files, such as chunks.
Issue Number: #30724
What is the new behavior?
The integrity is validated by adding an importmap into as the first script of the
index.htmlhead with the integrity hashes of the dynamically loaded modules.This will allow the browser to validate the integrity of dynamic imports.
The importmap will be added when Angular build is run with the
--subresource-integrityflag.Does this PR introduce a breaking change?
Other information
This PR is part of a two fold effort to enable SRI for our use of Angular.
While this can be shipped on it's own, there is an additional issue blocking us from using SRI, due to Sentry relying on Debug IDs but Angular not outputting them automatically: #33108
I would appreciate a feedback on the following PR implementing Debug IDs in Angular sourcemaps: #33110