Skip to content

Plugin for Jekyll to automate the generation of the sub resource integration (SRI) hash.

License

Notifications You must be signed in to change notification settings

Garanas/jekyll-subresource-integrity-hook

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Jekyll and Subresource Integrity

A small plugin to automate the generation of Subresource Integrity (SRI) hashes for linked files. It is one tool of the toolbox of modern browser features to increase the security of a website. As an example, it turns the following HTML:

<script defer="" type="text/javascript" src="/scripts/main.js"></script>

<!-- other content -->

<link rel="stylesheet" href="/assets/css/style.css" />

Into this:

<script
  defer=""
  type="text/javascript"
  src="/scripts/main.js"
  integrity="sha256-YK9s9fnHOUQ8vQsa/ftb4LSXAclQZxzu46g1nI6IQds="
  crossorigin="anonymous"
></script>

<!-- other content -->

<link
  rel="stylesheet"
  href="/assets/css/style.css"
  integrity="sha256-4733EDT8W6Ti+AW0WPy3mz0Xo5K9Opg39QS5gEldxz8="
  crossorigin="anonymous"
/>

Installation

Add this line to your site's Gemfile:

# If you have any plugins, put them here!
group :jekyll_plugins do

    # (...)

    # Used to generate the subresource integrity (SRI) hash of linked assets.
    # - https://github.com/Garanas/jekyll-subresource-integrity-hook

    gem 'jekyll-subresource-integrity-hook', git: "https://github.com/Garanas/jekyll-subresource-integrity-hook"
end

⚠️ If you are using Jekyll < 3.5.0 use the gems key instead of plugins.

And then add the plugin to your site's configuration file:

plugins:
  - (...)
  - jekyll-subresource-integrity-hook

Usage

Once installed and configured you should be set. The plugin works via a Jekyll Hook. The hook triggers at the :post_write event. Of the list of events it is the last event that triggers. The plugin will look through all HTML files and add the integrity and crossorigin attributes to all script and link tags.

It is important that this plugin happens last, after any form of file manipulation. If files are manipulated after this plugin runs then the generated integrity hashes may not align with what the integrity hash that the browser computes. If this happens the browser will reject the resource. By rejecting it the file is not applied to your site. If this happens then the event is logged to the console as an error. The event is also reported by the browser if the Report-To header is defined.

References

Various topics about modern browser security:

Guides

Similar projects

A plugin that can also produce the

A tool to manually generate the hash of a specific file. As an example, take this blog post by Thomas Williams about it.

About

Plugin for Jekyll to automate the generation of the sub resource integration (SRI) hash.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages