Subresource Integrity in production builds

[julien-f]

Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.

<script
  src="https://example.com/example-framework.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"
></script>

It should probably be implemented similarly to the hash generation for cache busting.

Source: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

[gaearon]

Looks cool. We could do this if somebody contributes it to HtmlWebpackPlugin.

[julien-f]

webpack-subresource-integrity :)

[gaearon]

We'd use this if it was generated in inject: true mode.

[gaearon]

Closing because while it sounds "nice" it doesn't seem like a must-have. If you contribute this to work with HtmlWebpackPlugin's inject mode we'd be happy to enable it.

[XVincentX]

According to jantimon/html-webpack-plugin#491 - it's already built in.

[gaearon]

Happy to take a PR implementing this!

[XVincentX]

@gaearon Cool, it should not be that hard. Let's see if I can come up with something.

[XVincentX]

@gaearon I kicked off #1176

[gaearon]

Fixed via #1176.