feat: support SRI verification of link tags

falsandtru · Jonathan Ginsburg · commit dc51a2e0e9b9 · 2022-06-13T17:31:53.000-07:00
diff --git a/lib/middleware/karma.js b/lib/middleware/karma.js
@@ -182,16 +182,16 @@ function createKarmaMiddleware (
               }
             }
 
+            const integrityAttribute = file.integrity ? ` integrity="${file.integrity}"` : ''
+            const crossOriginAttribute = includeCrossOriginAttribute ? ' crossorigin="anonymous"' : ''
             if (fileType === 'css') {
-              scriptTags.push(`<link type="text/css" href="${filePath}" rel="stylesheet">`)
+              scriptTags.push(`<link type="text/css" href="${filePath}" rel="stylesheet"${integrityAttribute}${crossOriginAttribute}>`)
             } else if (fileType === 'dom') {
               scriptTags.push(file.content)
             } else if (fileType === 'html') {
-              scriptTags.push(`<link href="${filePath}" rel="import">`)
+              scriptTags.push(`<link href="${filePath}" rel="import"${integrityAttribute}${crossOriginAttribute}>`)
             } else {
               const scriptType = (SCRIPT_TYPE[fileType] || 'text/javascript')
-              const crossOriginAttribute = includeCrossOriginAttribute ? ' crossorigin="anonymous"' : ''
-              const integrityAttribute = file.integrity ? ` integrity="${file.integrity}"` : ''
               if (fileType === 'module') {
                 scriptTags.push(`<script onerror="throw 'Error loading ${filePath}'" type="${scriptType}" src="${filePath}"${integrityAttribute}${crossOriginAttribute}></script>`)
               } else {
diff --git a/test/unit/middleware/karma.spec.js b/test/unit/middleware/karma.spec.js
@@ -257,7 +257,7 @@ describe('middleware.karma', () => {
 
     response.once('end', () => {
       expect(nextSpy).not.to.have.been.called
-      expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css?sha007" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/second.html?sha678" rel="import">\n<link type="text/css" href="/__proxy__/__karma__/absolute/third?sha111" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/fourth?sha222" rel="import">\n<link type="text/css" href="http://some.url.com/fifth" rel="stylesheet">\n<link href="http://some.url.com/sixth" rel="import">')
+      expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css?sha007" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/second.html?sha678" rel="import" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/absolute/third?sha111" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/fourth?sha222" rel="import" crossorigin="anonymous">\n<link type="text/css" href="http://some.url.com/fifth" rel="stylesheet" crossorigin="anonymous">\n<link href="http://some.url.com/sixth" rel="import" crossorigin="anonymous">')
       done()
     })
 
@@ -293,7 +293,22 @@ describe('middleware.karma', () => {
 
     response.once('end', () => {
       expect(nextSpy).not.to.have.been.called
-      expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/some/abc/a.css?sha1" rel="stylesheet">\n<link type="text/css" href="/__proxy__/__karma__/base/b.css?sha2" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/some/abc/c.html?sha3" rel="import">\n<link href="/__proxy__/__karma__/base/d.html?sha4" rel="import">\n<link type="text/css" href="/__proxy__/__karma__/absolute/some/abc/e?sha5" rel="stylesheet">\n<link type="text/css" href="/__proxy__/__karma__/base/f?sha6" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/some/abc/g?sha7" rel="import">\n<link href="/__proxy__/__karma__/base/h?sha8" rel="import">')
+      expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/some/abc/a.css?sha1" rel="stylesheet" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/base/b.css?sha2" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/some/abc/c.html?sha3" rel="import" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/base/d.html?sha4" rel="import" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/absolute/some/abc/e?sha5" rel="stylesheet" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/base/f?sha6" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/some/abc/g?sha7" rel="import" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/base/h?sha8" rel="import" crossorigin="anonymous">')
+      done()
+    })
+
+    callHandlerWith('/__karma__/context.html')
+  })
+
+  it('should serve context.html with link tags with integrity checking', (done) => {
+    includedFiles([
+      new MockFile('/first.css', 'sha007', undefined, undefined, 'sha256-XXX'),
+      new MockFile('/second.html', 'sha678', undefined, undefined, 'sha256-XXX')
+    ])
+
+    response.once('end', () => {
+      expect(nextSpy).not.to.have.been.called
+      expect(response).to.beServedAs(200, 'CONTEXT\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css?sha007" rel="stylesheet" integrity="sha256-XXX" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/second.html?sha678" rel="import" integrity="sha256-XXX" crossorigin="anonymous">')
       done()
     })
 
@@ -462,7 +477,7 @@ describe('middleware.karma', () => {
 
     response.once('end', () => {
       expect(nextSpy).not.to.have.been.called
-      expect(response).to.beServedAs(200, 'DEBUG\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css" rel="stylesheet">\n<link type="text/css" href="/__proxy__/__karma__/base/b.css" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/second.html" rel="import">\n<link href="/__proxy__/__karma__/base/d.html" rel="import">\n<link type="text/css" href="/__proxy__/__karma__/absolute/third" rel="stylesheet">\n<link type="text/css" href="/__proxy__/__karma__/base/f" rel="stylesheet">\n<link href="/__proxy__/__karma__/absolute/fourth" rel="import">\n<link href="/__proxy__/__karma__/base/g" rel="import">')
+      expect(response).to.beServedAs(200, 'DEBUG\n<link type="text/css" href="/__proxy__/__karma__/absolute/first.css" rel="stylesheet" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/base/b.css" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/second.html" rel="import" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/base/d.html" rel="import" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/absolute/third" rel="stylesheet" crossorigin="anonymous">\n<link type="text/css" href="/__proxy__/__karma__/base/f" rel="stylesheet" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/absolute/fourth" rel="import" crossorigin="anonymous">\n<link href="/__proxy__/__karma__/base/g" rel="import" crossorigin="anonymous">')
       done()
     })
 
