{"componentChunkName":"component---src-templates-blog-post-js","path":"/angular-subresource-integrity/","result":{"data":{"site":{"siteMetadata":{"title":"Fabrizio Fortunato","author":"Fabrizio Fortunato","siteUrl":"https://izifortune.com"}},"markdownRemark":{"id":"8b43ed3a-e6c7-5eed-b57a-58f1dddaa89b","excerpt":"Subresource integrity is a browser feature that verifies that a resource, script or link element, has not been tampered with. Subresource integrity helps…","html":"<p><em>Subresource</em> integrity is a browser feature that verifies that a resource, script or link element, has not been tampered with. <em>Subresource</em> integrity helps protecting your website from any resource manipulation that can happen especially if you are hosting your resources in a <em>CDN</em> where you are not in control of hosting the resources that you are using.</p>\n<p>Through malicious javascript an attacker can get control of various informations of your users that are browsing your site such as: cookies, storage, form data etc. Thanks to subresource integrity you can control that no resource has being tampered directly in the browser.</p>\n<p>You can use  subresource integrity by adding the attribute <code class=\"language-text\">integrity</code> to any <code class=\"language-text\">script</code> and <code class=\"language-text\">link</code> tag. The integrity attribute accepts a string containing the suffix of the hash algorithm and followed by the base64 hash.</p>\n<div class=\"gatsby-highlight\" data-language=\"html\"><pre class=\"language-html\"><code class=\"language-html\"><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span>script</span>\n      <span class=\"token attr-name\">type</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>text/javascript<span class=\"token punctuation\">\"</span></span>\n      <span class=\"token attr-name\">src</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>runtime.js<span class=\"token punctuation\">\"</span></span>\n      <span class=\"token attr-name\">integrity</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>sha384-l2idrIRRBrjHbp+jErEfqKMlALJ8XhHO2xWq/3wCMAE2uO8I7Wv+yulQip2yKsG+<span class=\"token punctuation\">\"</span></span>\n      <span class=\"token attr-name\">crossorigin</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>anonymous<span class=\"token punctuation\">\"</span></span><span class=\"token punctuation\">></span></span><span class=\"token script\"><span class=\"token language-javascript\">\n</span></span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;/</span>script</span><span class=\"token punctuation\">></span></span></code></pre></div>\n<p>In order to generate a hash in OSX you can use <code class=\"language-text\">shasum</code>  command line utility over the desired file and then pass the output to a series of transformations:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">shasum -a <span class=\"token number\">384</span> /path/file <span class=\"token operator\">|</span> <span class=\"token function\">awk</span> <span class=\"token string\">'{ print <span class=\"token variable\">$1</span> }'</span> <span class=\"token operator\">|</span> xxd -r -p <span class=\"token operator\">|</span> base64 </code></pre></div>\n<p>This will output a hash which we can then use in our subresource integrity. Let’s start with a simple example, creating a javascript file <code class=\"language-text\">tegridy.js</code>:</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">function</span> <span class=\"token function\">tegridy</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n <span class=\"token keyword\">return</span> <span class=\"token string\">'No vaping'</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> </code></pre></div>\n<p>Now using <code class=\"language-text\">shasum</code> command as described above we will get the hash without the prefix:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">shasum -a <span class=\"token number\">384</span> tegridy.js <span class=\"token operator\">|</span> <span class=\"token function\">awk</span> <span class=\"token string\">'{ print <span class=\"token variable\">$1</span> }'</span> <span class=\"token operator\">|</span> xxd -r -p <span class=\"token operator\">|</span> base64\n\n<span class=\"token operator\">>></span> e8LWRk7Tfo31vuZ4RTkVYgYunN58TLsbjxBkG7Qi/kikqRWXkwRInR2NB5ga0GUt</code></pre></div>\n<p>Once we have the hash we can add the <em>integrity</em> attribute in the <em>script</em> tag adding the prefix of the hash algorithm used:</p>\n<div class=\"gatsby-highlight\" data-language=\"html\"><pre class=\"language-html\"><code class=\"language-html\"><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span>html</span><span class=\"token punctuation\">></span></span>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span>title</span><span class=\"token punctuation\">></span></span>Tegridy Farm<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;/</span>title</span><span class=\"token punctuation\">></span></span>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span>body</span><span class=\"token punctuation\">></span></span>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span>script</span>\n  <span class=\"token attr-name\">integrity</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>sha384-e8LWRk7Tfo31vuZ4RTkVYgYunN58TLsbjxBkG7Qi/kikqRWXkwRInR2NB5ga0GUt<span class=\"token punctuation\">\"</span></span>\n  <span class=\"token attr-name\">src</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>./tegridy.js<span class=\"token punctuation\">\"</span></span><span class=\"token punctuation\">></span></span><span class=\"token script\"><span class=\"token language-javascript\">\n</span></span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;/</span>script</span><span class=\"token punctuation\">></span></span>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span>script</span><span class=\"token punctuation\">></span></span><span class=\"token script\"><span class=\"token language-javascript\">\nconsole<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token function\">tegridy</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n</span></span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;/</span>script</span><span class=\"token punctuation\">></span></span>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;/</span>body</span><span class=\"token punctuation\">></span></span></code></pre></div>\n<p>The browser, before executing the script, will check the integrity of the script based on the hash passed as argument. If we then try to change the file <code class=\"language-text\">tegridy.js</code> slightly:</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">function</span> <span class=\"token function\">tegridy</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n <span class=\"token keyword\">return</span> <span class=\"token string\">'Yes vaping'</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The integrity of the file won’t match with the attribute passed the browser then will throw a network error refusing to execute the script and indicating that fetching it failed. </p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto;  max-width: 590px;\"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/dist/static/1dd89b92560b17b8023b2b12f9ebd866/96101/Untitled-7a2ba5d9-ecc8-4d94-9621-0ae925d170d5.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 3.378378378378378%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAIAAABR8BlyAAAACXBIWXMAAAsSAAALEgHS3X78AAAAPElEQVQI1x3LwQnAIBAAQfsvTAQVotGTyKmlbDg/+xhYhwzqiy5r65SKD+zNunKOYUw8BVW+SRdStkvGD1tiNTp/5ka2AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <img\n        class=\"gatsby-resp-image-image\"\n        alt=\"subresource-integrity-error\"\n        title=\"subresource-integrity-error\"\n        src=\"/dist/static/1dd89b92560b17b8023b2b12f9ebd866/102e5/Untitled-7a2ba5d9-ecc8-4d94-9621-0ae925d170d5.png\"\n        srcset=\"/dist/static/1dd89b92560b17b8023b2b12f9ebd866/83276/Untitled-7a2ba5d9-ecc8-4d94-9621-0ae925d170d5.png 148w,\n/dist/static/1dd89b92560b17b8023b2b12f9ebd866/ba02f/Untitled-7a2ba5d9-ecc8-4d94-9621-0ae925d170d5.png 295w,\n/dist/static/1dd89b92560b17b8023b2b12f9ebd866/102e5/Untitled-7a2ba5d9-ecc8-4d94-9621-0ae925d170d5.png 590w,\n/dist/static/1dd89b92560b17b8023b2b12f9ebd866/74549/Untitled-7a2ba5d9-ecc8-4d94-9621-0ae925d170d5.png 885w,\n/dist/static/1dd89b92560b17b8023b2b12f9ebd866/96101/Untitled-7a2ba5d9-ecc8-4d94-9621-0ae925d170d5.png 1010w\"\n        sizes=\"(max-width: 590px) 100vw, 590px\"\n        style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n        loading=\"lazy\"\n      />\n  </a>\n    </span></p>\n<h2>Angular integrity</h2>\n<p>For simple applications where resources hardly change you can calculate the hash for each resource manually and attach to the element. While working on <em>Angular</em> application instead most of the javascript resources will be bundled by webpack at build time.  A manual workflow is not exactly scalable since every time we will make a change to our application, <em>angular-cli</em> will create a new bundled resource which will need a new hash to be generated.</p>\n<p>Thanks to the <em>angular-cli</em> team there is already an option to add the subresource integrity to your files by simply appending <em>—subresource-integrity</em> to your build script:</p>\n<div class=\"gatsby-highlight\" data-language=\"json\"><pre class=\"language-json\"><code class=\"language-json\"><span class=\"token property\">\"scripts\"</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token property\">\"ng\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"ng\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"start\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"ng serve\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"build\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"ng build --subresource-integrity\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"test\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"ng test\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"lint\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"ng lint\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"e2e\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"ng e2e\"</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span></code></pre></div>\n<p>Once the flag is added, the <em>cli</em> will automatically generate a hash for the application resources and add to the <em>index.html</em> when running <code class=\"language-text\">npm run build:</code></p>\n<div class=\"gatsby-highlight\" data-language=\"html\"><pre class=\"language-html\"><code class=\"language-html\">...\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span>script</span>\n  <span class=\"token attr-name\">type</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>text/javascript<span class=\"token punctuation\">\"</span></span>\n  <span class=\"token attr-name\">src</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>runtime.js<span class=\"token punctuation\">\"</span></span>\n  <span class=\"token attr-name\">integrity</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>sha384-l2idrIRRBrjHbp+jErEfqKMlALJ8XhHO2xWq/3wCMAE2uO8I7Wv+yulQip2yKsG+<span class=\"token punctuation\">\"</span></span>\n  <span class=\"token attr-name\">crossorigin</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>anonymous<span class=\"token punctuation\">\"</span></span><span class=\"token punctuation\">></span></span><span class=\"token script\"><span class=\"token language-javascript\">\n</span></span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;/</span>script</span><span class=\"token punctuation\">></span></span>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span>script</span>\n  <span class=\"token attr-name\">type</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>text/javascript<span class=\"token punctuation\">\"</span></span>\n  <span class=\"token attr-name\">src</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>es2015-polyfills.js<span class=\"token punctuation\">\"</span></span>\n  <span class=\"token attr-name\">nomodule</span>\n  <span class=\"token attr-name\">integrity</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>sha384-3g/ASsyNZi2bts3atqex3i7NlTDWAWh0/E+F1Y6dq80XjKjmW5f5LG7LThpiv4et<span class=\"token punctuation\">\"</span></span>\n  <span class=\"token attr-name\">crossorigin</span><span class=\"token attr-value\"><span class=\"token punctuation\">=</span><span class=\"token punctuation\">\"</span>anonymous<span class=\"token punctuation\">\"</span></span><span class=\"token punctuation\">></span></span><span class=\"token script\"><span class=\"token language-javascript\">\n</span></span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;/</span>script</span><span class=\"token punctuation\">></span></span>\n...</code></pre></div>\n<p>This is especially useful when you are hosting all your application assets in another service like a CDN which sits outside of your organisation. Remember that you can start using subresource integrity even for third-party CDN hosted files. Popular CDN like <a href=\"%5Bhttps://unpkg.com/%5D(https://unpkg.com/)\">unpkg</a> and <a href=\"%5Bhttps://cdnjs.com/%5D(https://cdnjs.com/)\">cdnjs</a> already support it.</p>","frontmatter":{"title":"Angular subresource integrity","date":"February 12, 2019","description":"Improve the security of your application by using subresource integrity in an Angular application","socialImage":{"childImageSharp":{"fixed":{"src":"/dist/static/f19988208a967ad08e574bf5d54b6ff7/048fd/tegridy.png"}}},"image":{"childImageSharp":{"fluid":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAIAAAB2/0i6AAAACXBIWXMAAAsSAAALEgHS3X78AAABF0lEQVQY02PQLT+OjPTKjmlVnlJouGRcfCglaHps0AzDksNK9Ze0K0/qlR9DU8yAofOkdd7uCeYlR4Xd7zHqn2DUXSvsWm9ZZpG/R7sCXT+KZv2yo2o1Z30TVj9jVH/BoHGPQe8Eg+4ZBtVTzKouKes0qs8ATcdtc/kxzapT9tk7ttdN3dc64WDH1A01nRvqO7dUTbQsPaxVfkIPj7OBSKfihGHx4d2BFRfcko85J+5wStjjHLcmsNyw4rgOqkosmvXLjqlWn9so6fuJQfwOo+ZRRvXLDKLTZIM0K04RCDBImAEDxil353STwlusJkdYjVvMCu3zdupUnNQtI6QZ6vPKUyq150NilvjFLlOtPQ+MAj0MnUAEAJCh3Fzx3bC9AAAAAElFTkSuQmCC","aspectRatio":2.609375,"src":"/dist/static/7b22c8c4e964c8f74ada428ba9896e5e/fc147/tegridy2.png","srcSet":"/dist/static/7b22c8c4e964c8f74ada428ba9896e5e/17cc0/tegridy2.png 167w,\n/dist/static/7b22c8c4e964c8f74ada428ba9896e5e/f7869/tegridy2.png 333w,\n/dist/static/7b22c8c4e964c8f74ada428ba9896e5e/fc147/tegridy2.png 649w","sizes":"(max-width: 649px) 100vw, 649px"}}}}}},"pageContext":{"slug":"/angular-subresource-integrity/","previous":{"fields":{"slug":"/theming-angular-at-ryanair/"},"frontmatter":{"title":"Theming Angular at Ryanair"}},"next":{"fields":{"slug":"/lighthouse-architecture-demystified/"},"frontmatter":{"title":"Lighthouse architecture demystified"}}}}}