Contrib.social

Implement SRI for aggregated assets

Open on Drupal.org ā†’
Created on 18 August 2022, almost 2 years ago
Updated 18 December 2023, 6 months ago

Problem/Motivation

Implement SRI for aggregated JS libraries

Steps to reproduce

Install Drupal, enable JS aggregation and inspect a page - see no SRI in place

Proposed resolution

Implement SRI for aggregated JS libraries

Remaining tasks

Make it configurable

User interface changes

none

API changes

none

Data model changes

none

Release notes snippet

āœØ Feature request
Status

Needs work

Version

11.0 šŸ”„

Component
Asset libraryĀ  ā†’

Last updated 1 day ago

No maintainer
Created by

šŸ‡©šŸ‡ŖGermany Emil Stoianov

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs frontend framework manager review

    Used to alert the fron-tend framework manager core committer(s) that a front-end focused issue significantly impacts (or has the potential to impact) multiple subsystems or represents a significant change or addition in architecture or public APIs, and their signoff is needed (see the governance policy for more information). If an issue significantly impacts only one subsystem, use Needs subsystem maintainer review instead, and make sure the issue component is set to the correct subsystem.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 10 months ago ā†’
    šŸ‡¬šŸ‡§United Kingdom catch

    Needs a re-roll, change would have to happen in the *Lazy versions of those classes now.

  • Comment 10 months ago ā†’
    šŸ‡§šŸ‡ŖBelgium Wim Leers Ghent šŸ‡§šŸ‡ŖšŸ‡ŖšŸ‡ŗ
  • Open in Jenkins ā†’ Open on Drupal.org ā†’
    Environment: PHP 8.2 & MySQL 8
    last update 10 months ago
    30,056 pass
  • Issue was unassigned.
  • Comment 10 months ago ā†’
    šŸ‡®šŸ‡³India AkashKumar07

    Adding a reroll of #17.

  • Open in Jenkins ā†’ Open on Drupal.org ā†’
    Environment: PHP 8.1 & MySQL 5.7
    last update 10 months ago
    30,056 pass
  • Open in Jenkins ā†’ Open on Drupal.org ā†’
    Environment: PHP 8.2 & MySQL 8
    last update 10 months ago
    30,056 pass
  • Status changed to Needs review 10 months ago
  • Comment 10 months ago ā†’
    šŸ‡®šŸ‡³India AkashKumar07
  • Status changed to Needs work 10 months ago
  • Comment 10 months ago ā†’
    šŸ‡§šŸ‡ŖBelgium Wim Leers Ghent šŸ‡§šŸ‡ŖšŸ‡ŖšŸ‡ŗ

    Thanks, @AkashKumar07! šŸ˜Š

    Unfortunately, #18 has not yet been addressed. It's still happening only in the deprecated classes šŸ˜‡

    This also still needs test coverage and profiling (see #15).

  • Comment 10 months ago ā†’
    šŸ‡®šŸ‡³India narendraR Jaipur, India

    Trait added, Changes done in Lazy versions of classes also.

  • Open in Jenkins ā†’ Open on Drupal.org ā†’
    Environment: PHP 8.2 & MySQL 8
    last update 10 months ago
    30,068 pass, 86 fail
  • Comment 10 months ago ā†’
    šŸ‡®šŸ‡³India narendraR Jaipur, India
  • Open in Jenkins ā†’ Open on Drupal.org ā†’
    Environment: PHP 8.2 & MySQL 8
    last update 10 months ago
    30,135 pass
  • Status changed to Needs review 10 months ago
  • Comment 10 months ago ā†’
    šŸ‡®šŸ‡³India narendraR Jaipur, India
  • Status changed to Needs work 10 months ago
  • Comment 10 months ago ā†’
    šŸ‡ŗšŸ‡øUnited States smustgrave

    Have not reviewed.

    Moving to NW for the test coverage. But good to see all the current tests passed!

  • Status changed to Needs review 10 months ago
  • Comment 10 months ago ā†’
    šŸ‡®šŸ‡³India narendraR Jaipur, India

    Done Apache benchmark testing on local.

    Screenshots attached.
    On 11.x without SRI:

    With Sha-256

    With Sha-384

    With Sha-512

  • Comment 10 months ago ā†’
    šŸ‡¬šŸ‡§United Kingdom catch

    I don't think apache bench will give useful results here because the optimizer logic is cached per set of assets. Having said that sha384 and sha512 appear noticeably slower than HEAD and sha256 so if that's repeatable, then something might be getting picked up.

  • Comment 9 months ago ā†’
    šŸ‡ŗšŸ‡øUnited States smustgrave

    @catch should this be moved back to NW?

  • Comment 9 months ago ā†’
    šŸ‡¬šŸ‡§United Kingdom catch

    @smustgrave no I think we need better benchmarking - I would probably have used microtime() style benchmarking for this so it's possible to compare only the hashing logic and not the entire request.

  • Comment 9 months ago ā†’
    šŸ‡®šŸ‡³India narendraR Jaipur, India

    Added microtime in patch for testing, and below are my findings:

    sha512:
    Logged-In, home page after cache clear:
    CSS Execution Time: 0.00030803680419922 seconds
    CSS Execution Time: 0.00040578842163086 seconds
    JS Execution Time: 2.0980834960938E-5 seconds
    JS Execution Time: 0.0010080337524414 seconds

    Anonymous, home page after cache clear:
    CSS Execution Time: 5.2928924560547E-5 seconds
    CSS Execution Time: 0.00041604042053223 seconds
    JS Execution Time: 0.00011801719665527 seconds

    sha384
    Logged-In, home page after cache clear:
    CSS Execution Time: 0.00030779838562012 seconds
    CSS Execution Time: 0.00040507316589355 seconds
    JS Execution Time: 1.8119812011719E-5 seconds
    JS Execution Time: 0.0010049343109131 seconds

    Anonymous, home page after cache clear:
    CSS Execution Time: 9.2029571533203E-5 seconds
    CSS Execution Time: 0.00089097023010254 seconds
    JS Execution Time: 0.00011897087097168 seconds

    sha256:
    Logged-In, home page after cache clear:
    CSS Execution Time: 0.00047683715820312 seconds
    CSS Execution Time: 0.00062894821166992 seconds
    JS Execution Time: 2.0980834960938E-5 seconds
    JS Execution Time: 0.0015959739685059 seconds

    Anonymous, home page after cache clear:
    CSS Execution Time: 7.2002410888672E-5 seconds
    CSS Execution Time: 0.00062084197998047 seconds
    JS Execution Time: 0.00017786026000977 seconds

  • Status changed to Needs work 9 months ago
  • Comment 9 months ago ā†’
    needs-review-queue-bot

    The Needs Review Queue Bot ā†’ tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide ā†’ to find step-by-step guides for working with issues.

  • Status changed to Needs review 9 months ago
  • Comment 9 months ago ā†’
    šŸ‡®šŸ‡³India narendraR Jaipur, India

    Test failure seems to be related to #31

  • Status changed to Needs work 9 months ago
  • Comment 9 months ago ā†’
    needs-review-queue-bot

    The Needs Review Queue Bot ā†’ tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide ā†’ to find step-by-step guides for working with issues.

  • Comment 9 months ago ā†’
    šŸ‡¬šŸ‡§United Kingdom catch

    I think 'seconds' in the patch should be 'microseconds'?

  • Status changed to Needs review 9 months ago
  • Comment 9 months ago ā†’
    šŸ‡®šŸ‡³India narendraR Jaipur, India

    Avoided test bot for now.

  • Open in Jenkins ā†’ Open on Drupal.org ā†’
    Environment: PHP 8.1 & MySQL 5.7
    last update 8 months ago
    30,341 pass
  • Status changed to Needs work 7 months ago
  • Comment 7 months ago ā†’
    šŸ‡ŗšŸ‡øUnited States neclimdul Houston, TX

    Skimming the discussion, I'm not sure which result was giving multiple seconds. Do you mean the _really_ small results that are in scientific notation with E-5?

    I'm curious how this is able to generate hashes of files that are lazily generated. Some more digging to understand the patch I guess unless someone has a hint.

    Marking NW and adding needs tests back because there are not tests in the patch. We can continue discussing performance impact outside that fact.

  • Comment 7 months ago ā†’
    šŸ‡¬šŸ‡§United Kingdom catch

    Do you mean the _really_ small results that are in scientific notation with E-5?

    Doh... yes, missed that the E-5...

  • Comment 7 months ago ā†’
    šŸ‡¦šŸ‡ŗAustralia larowlan šŸ‡¦šŸ‡ŗšŸ.au GMT+10

    Also #15 asked for the method to be in a trait, I agree that feels reasonable even though its not the rule of 3

  • Status changed to Needs review 7 months ago
  • Comment 7 months ago ā†’
    šŸ‡®šŸ‡³India narendraR Jaipur, India
  • Open in Jenkins ā†’ Open on Drupal.org ā†’
    Environment: PHP 8.2 & MySQL 8
    last update 7 months ago
    30,714 pass
  • Status changed to Needs work 6 months ago
  • Comment 6 months ago ā†’
    šŸ‡§šŸ‡ŖBelgium Wim Leers Ghent šŸ‡§šŸ‡ŖšŸ‡ŖšŸ‡ŗ
    1. +++ b/core/lib/Drupal/Core/Asset/CssCollectionOptimizer.php
@@ -150,6 +152,8 @@ public function optimize(array $css_assets, array $libraries) {
+              // Implement SRI.

+++ b/core/lib/Drupal/Core/Asset/JsCollectionOptimizer.php
@@ -149,6 +151,8 @@ public function optimize(array $js_assets, array $libraries) {
+              // Implement SRI.

      šŸ¤“ Nit: I think these comments can be omitted now? 

    2. +++ b/core/tests/Drupal/FunctionalTests/Asset/AssetOptimizationTest.php
@@ -337,4 +337,23 @@ protected function invalidExclude(string $url): string {
+    $this->assertStringContainsString('integrity="sha512-', $page->getContent());

      Shouldn't we also test the correctness of the hash?

      If we get this wrong, the consequences could be pretty big? Browsers would REFUSE to execute the JS or apply the CSS! See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integr....

      ā€¦ or I guess that would mean all of our functional JS tests would fail? šŸ¤”

      Can we make the SRI attribute intentionally incorrect for a moment to check whether that would indeed those tests to fail? šŸ™

  • Comment 6 months ago ā†’
    šŸ‡¬šŸ‡§United Kingdom catch 
    +++ b/core/lib/Drupal/Core/Asset/AssetSetSriTrait.php
index ec3b805c971..006fe21e8ba 100644
--- a/core/lib/Drupal/Core/Asset/CssCollectionOptimizer.php

    Not sure about adding this to the deprecated classes - I guess it doesn't hurt, but could also be left out.

  • Comment 6 months ago ā†’
    šŸ‡¬šŸ‡§United Kingdom catch

    If we get this wrong, the consequences could be pretty big? Browsers would REFUSE to execute the JS or apply the CSS! See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integr....

    ā€¦ or I guess that would mean all of our functional JS tests would fail?

    I think we need to check what happens in this case:

    šŸ› Aggregated URL hashes for assets can mismatch due to different order of library assets Active

    i.e. correct asset definitions, but a mis-matching hash, which is due to indeterminate asset order with the same sets of libraries in certain situations. Ideally we'd never, ever end up in that situation, but at the moment we do.

  • Comment 6 months ago ā†’
    šŸ‡®šŸ‡³India narendraR Jaipur, India

    Addressed #42 and #41 except

    Can we make the SRI attribute intentionally incorrect for a moment to check whether that would indeed those tests to fail?
  • Open in Jenkins ā†’ Open on Drupal.org ā†’
    Environment: PHP 8.2 & MySQL 8
    last update 6 months ago
    30,764 pass, 4 fail
  • Open in Jenkins ā†’ Open on Drupal.org ā†’
    Environment: PHP 8.2 & MySQL 8
    last update 6 months ago
    30,768 pass
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024