Commit e51d1052 authored by ale's avatar ale
Browse files

Add Subresource Integrity protection to all js/css resources

parent 62b4e1c5
Pipeline #427 passed with stages
in 1 minute and 21 seconds
#!/usr/bin/python
#
# Automatically fix Subresource Integrity links in the HTML templates.
#
# Pass templates as command-line arguments. Expects to be run from the
# resources/ directory.
#
import re
import sys
from hashlib import sha384
script_rx = re.compile(r'<(?:script|link rel="stylesheet")[^>]*(?:src|href)="([^"]+)"[^>]*>')
integrity_rx = re.compile(r' +integrity="[^"]*"')
def compute_checksum(src):
if src[0] == '/':
src = src[1:]
with open(src) as fd:
return 'sha384-' + sha384(fd.read()).digest().encode('base64').strip()
def replace_checksum(m):
src = m.group(1)
checksum = compute_checksum(src)
script = m.group(0)
script = integrity_rx.sub('', script)
script = '%s integrity="%s">' % (script[:-1], checksum)
return script
def fix_sri(path):
with open(path) as fd:
data = fd.read()
result = script_rx.sub(replace_checksum, data)
if result != data:
print >>sys.stderr, 'updating %s' % path
with open(path, 'w') as fd:
fd.write(result)
if __name__ == '__main__':
for path in sys.argv[1:]:
try:
fix_sri(path)
except Exception as e:
print >>sys.stderr, "Error fixing %s: %s" % (path, e)
{{define "title"}}Account Recovery{{end}}
{{define "head"}}
<link rel="stylesheet" href="/static/css/signin.css">
<link rel="stylesheet" href="/static/css/signin.css" integrity="sha384-zxlIX2SfN6SpDKbrkQNcrn07kaD/iSlYdEKRCab8ZAcTEvpWshVV4xqTpoQaeyPq">
{{end}}
{{define "content"}}
......
{{define "title"}}Account Recovery{{end}}
{{define "head"}}
<link rel="stylesheet" href="/static/css/signin.css">
<link rel="stylesheet" href="/static/css/signin.css" integrity="sha384-zxlIX2SfN6SpDKbrkQNcrn07kaD/iSlYdEKRCab8ZAcTEvpWshVV4xqTpoQaeyPq">
{{end}}
{{define "content"}}
......
......@@ -31,6 +31,6 @@
{{define "script"}}
<!-- The original u2f-api.js code can be found here:
https://github.com/google/u2f-ref-code/blob/master/u2f-gae-demo/war/js/u2f-api.js -->
<script type="text/javascript" src="/static/js/u2f-api.js"></script>
<script type="text/javascript" src="/static/js/u2f-idp.js"></script>
<script type="text/javascript" src="/static/js/u2f-api.js" integrity="sha384-9ChevE6pp8ArGK03HgolnFjZbF3webZQtYkwcabzbcI28Lx1/2x2j2fbaAWD4cgR"></script>
<script type="text/javascript" src="/static/js/u2f-idp.js" integrity="sha384-Aw1M0kx84dOGmcbSKwVf6MWXFfyF8YK7LFfpAPqBMG+843kqUeyHNUpEom8kSIiz"></script>
{{end}}
{{define "title"}}Sign In{{end}}
{{define "head"}}
<link rel="stylesheet" href="/static/css/signin.css">
<link rel="stylesheet" href="/static/css/signin.css" integrity="sha384-zxlIX2SfN6SpDKbrkQNcrn07kaD/iSlYdEKRCab8ZAcTEvpWshVV4xqTpoQaeyPq">
{{end}}
{{define "content"}}
......
{{define "title"}}Sign In / OTP{{end}}
{{define "head"}}
<link rel="stylesheet" href="/static/css/signin.css">
<link rel="stylesheet" href="/static/css/signin.css" integrity="sha384-zxlIX2SfN6SpDKbrkQNcrn07kaD/iSlYdEKRCab8ZAcTEvpWshVV4xqTpoQaeyPq">
{{end}}
{{define "content"}}
......
{{define "title"}}Sign In / U2F{{end}}
{{define "head"}}
<link rel="stylesheet" href="/static/css/signin.css">
<link rel="stylesheet" href="/static/css/signin.css" integrity="sha384-zxlIX2SfN6SpDKbrkQNcrn07kaD/iSlYdEKRCab8ZAcTEvpWshVV4xqTpoQaeyPq">
{{end}}
{{define "content"}}
......@@ -29,8 +29,8 @@
{{define "script"}}
<!-- The original u2f-api.js code can be found here:
https://github.com/google/u2f-ref-code/blob/master/u2f-gae-demo/war/js/u2f-api.js -->
<script type="text/javascript" src="/static/js/u2f-api.js"></script>
<script type="text/javascript" src="/static/js/u2f-idp.js"></script>
<script type="text/javascript" src="/static/js/u2f-api.js" integrity="sha384-9ChevE6pp8ArGK03HgolnFjZbF3webZQtYkwcabzbcI28Lx1/2x2j2fbaAWD4cgR"></script>
<script type="text/javascript" src="/static/js/u2f-idp.js" integrity="sha384-Aw1M0kx84dOGmcbSKwVf6MWXFfyF8YK7LFfpAPqBMG+843kqUeyHNUpEom8kSIiz"></script>
<script type="text/javascript">
$(function() {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment