Interlock-signed plugin
divmain opened this issue · 0 comments
divmain commented
Implement the interlock-signed
plugin.
This plugin will ensure that bundles have not been tampered with, and allow for trusted use of third-party hosting for bundles (such as a public CDN). The general implementation will be as follows:
- add an additional provider with the following behavior:
- on load: check for a global variable containing a map of bundle filenames to their SHA-1 hashes
- on load: if global variable not found, notify the user with an
alert()
and set internal state such that any requests go to thenext
runtime bundle provider - on module request: if the module is not contained within a hashed bundle, fall back to the
next
runtime module provider - on module request: if module is contained within a hashed bundle, create an XHR request for the bundle in question, rather than a script tag
- on request success: when XHR 200 response comes back, generate a SHA-1 hash of the bundle's raw text [1]
- on request success: if the hash does not match, notify the user with an
alert()
- on request success: if the hash does match, create a new
<script>
tag with asrc
value ofdata:text/javascript,...
[2]
- add
transform
toemitRawBundles
step- generate SHA-1 hashes of
bundle.raw
values [1] - create map of bundle filenames to SHA-1 hashes
- append output file to array of bundles, which when loaded sets a global variable that contains the
filename:SHA-1
map
- generate SHA-1 hashes of
Constraints:
- script containing hashes must be loaded as a separate script or inlined into the HTML on initial page load
- server hosting signed bundles must support XHR requests for the loaded site
Additional thoughts:
- Consider using SubtleCrypto to minimize impact to bundle size.
[1] http://www.movable-type.co.uk/scripts/sha1.html
[2] https://developer.mozilla.org/en-US/Add-ons/Code_snippets/Rosetta, line 45 of code sample