- š¬š§United Kingdom catch
Needs a re-roll, change would have to happen in the *Lazy versions of those classes now.
- last update
over 1 year ago 30,056 pass - Issue was unassigned.
- last update
over 1 year ago 30,056 pass - last update
over 1 year ago 30,056 pass - Status changed to Needs review
over 1 year ago 8:18am 22 August 2023 - Status changed to Needs work
over 1 year ago 8:37am 22 August 2023 - š§šŖBelgium wim leers Ghent š§šŖšŖšŗ
- š®š³India narendraR Jaipur, India
Trait added, Changes done in Lazy versions of classes also.
- last update
over 1 year ago 30,068 pass, 86 fail - last update
over 1 year ago 30,135 pass - Status changed to Needs review
over 1 year ago 8:42am 4 September 2023 - Status changed to Needs work
over 1 year ago 6:14pm 4 September 2023 - šŗšøUnited States smustgrave
Have not reviewed.
Moving to NW for the test coverage. But good to see all the current tests passed!
- Status changed to Needs review
over 1 year ago 9:14am 8 September 2023 - š®š³India narendraR Jaipur, India
Done Apache benchmark testing on local.
Screenshots attached.
On 11.x without SRI:
With Sha-256
With Sha-384
With Sha-512
- š¬š§United Kingdom catch
I don't think apache bench will give useful results here because the optimizer logic is cached per set of assets. Having said that sha384 and sha512 appear noticeably slower than HEAD and sha256 so if that's repeatable, then something might be getting picked up.
- šŗšøUnited States smustgrave
@catch should this be moved back to NW?
- š¬š§United Kingdom catch
@smustgrave no I think we need better benchmarking - I would probably have used microtime() style benchmarking for this so it's possible to compare only the hashing logic and not the entire request.
- š®š³India narendraR Jaipur, India
Added microtime in patch for testing, and below are my findings:
sha512:
Logged-In, home page after cache clear:
CSS Execution Time: 0.00030803680419922 seconds
CSS Execution Time: 0.00040578842163086 seconds
JS Execution Time: 2.0980834960938E-5 seconds
JS Execution Time: 0.0010080337524414 secondsAnonymous, home page after cache clear:
CSS Execution Time: 5.2928924560547E-5 seconds
CSS Execution Time: 0.00041604042053223 seconds
JS Execution Time: 0.00011801719665527 secondssha384
Logged-In, home page after cache clear:
CSS Execution Time: 0.00030779838562012 seconds
CSS Execution Time: 0.00040507316589355 seconds
JS Execution Time: 1.8119812011719E-5 seconds
JS Execution Time: 0.0010049343109131 secondsAnonymous, home page after cache clear:
CSS Execution Time: 9.2029571533203E-5 seconds
CSS Execution Time: 0.00089097023010254 seconds
JS Execution Time: 0.00011897087097168 secondssha256:
Logged-In, home page after cache clear:
CSS Execution Time: 0.00047683715820312 seconds
CSS Execution Time: 0.00062894821166992 seconds
JS Execution Time: 2.0980834960938E-5 seconds
JS Execution Time: 0.0015959739685059 secondsAnonymous, home page after cache clear:
CSS Execution Time: 7.2002410888672E-5 seconds
CSS Execution Time: 0.00062084197998047 seconds
JS Execution Time: 0.00017786026000977 seconds - Status changed to Needs work
over 1 year ago 5:08pm 3 October 2023 The Needs Review Queue Bot ā tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide ā to find step-by-step guides for working with issues.
- Status changed to Needs review
over 1 year ago 11:02am 4 October 2023 - Status changed to Needs work
over 1 year ago 12:17pm 4 October 2023 The Needs Review Queue Bot ā tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide ā to find step-by-step guides for working with issues.
- š¬š§United Kingdom catch
I think 'seconds' in the patch should be 'microseconds'?
- Status changed to Needs review
over 1 year ago 1:02pm 4 October 2023 - last update
over 1 year ago 30,341 pass - Status changed to Needs work
over 1 year ago 3:45pm 7 December 2023 - šŗšøUnited States neclimdul Houston, TX
Skimming the discussion, I'm not sure which result was giving multiple seconds. Do you mean the _really_ small results that are in scientific notation with E-5?
I'm curious how this is able to generate hashes of files that are lazily generated. Some more digging to understand the patch I guess unless someone has a hint.
Marking NW and adding needs tests back because there are not tests in the patch. We can continue discussing performance impact outside that fact.
- š¬š§United Kingdom catch
Do you mean the _really_ small results that are in scientific notation with E-5?
Doh... yes, missed that the E-5...
- Status changed to Needs review
over 1 year ago 9:46am 13 December 2023 - last update
over 1 year ago 30,714 pass - Status changed to Needs work
over 1 year ago 9:08am 14 December 2023 - š§šŖBelgium wim leers Ghent š§šŖšŖšŗ
-
+++ b/core/lib/Drupal/Core/Asset/CssCollectionOptimizer.php @@ -150,6 +152,8 @@ public function optimize(array $css_assets, array $libraries) { + // Implement SRI. +++ b/core/lib/Drupal/Core/Asset/JsCollectionOptimizer.php @@ -149,6 +151,8 @@ public function optimize(array $js_assets, array $libraries) { + // Implement SRI.š¤ Nit: I think these comments can be omitted now?
-
+++ b/core/tests/Drupal/FunctionalTests/Asset/AssetOptimizationTest.php @@ -337,4 +337,23 @@ protected function invalidExclude(string $url): string { + $this->assertStringContainsString('integrity="sha512-', $page->getContent());Shouldn't we also test the correctness of the hash?
If we get this wrong, the consequences could be pretty big? Browsers would REFUSE to execute the JS or apply the CSS! See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integr....
ā¦ or I guess that would mean all of our functional JS tests would fail? š¤
Can we make the SRI attribute intentionally incorrect for a moment to check whether that would indeed those tests to fail? š
-
- š¬š§United Kingdom catch
+++ b/core/lib/Drupal/Core/Asset/AssetSetSriTrait.php index ec3b805c971..006fe21e8ba 100644 --- a/core/lib/Drupal/Core/Asset/CssCollectionOptimizer.phpNot sure about adding this to the deprecated classes - I guess it doesn't hurt, but could also be left out.
- š¬š§United Kingdom catch
If we get this wrong, the consequences could be pretty big? Browsers would REFUSE to execute the JS or apply the CSS! See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integr....
ā¦ or I guess that would mean all of our functional JS tests would fail?
I think we need to check what happens in this case:
š Aggregated URL hashes for assets can mismatch due to different order of library assets Active
i.e. correct asset definitions, but a mis-matching hash, which is due to indeterminate asset order with the same sets of libraries in certain situations. Ideally we'd never, ever end up in that situation, but at the moment we do.
- š®š³India narendraR Jaipur, India
- last update
over 1 year ago 30,764 pass, 4 fail - last update
over 1 year ago 30,768 pass
