-
Notifications
You must be signed in to change notification settings - Fork 989
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Asset fingerprinting and SRI #519
Comments
The current timestamp is not a very good solution I agree. |
That would work for fingerprinting the URL, but wouldnt generate the required SRI data. I could change the return type to an object, but not sure I want to make a breaking change to something so fundamental to existing sites. Hence the new function. If you're happy for me to add a breaking change, I can do that too. Or, I could just remove the |
Do you have a link for SRI? |
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity is a pretty good one. Or the spec at https://w3c.github.io/webappsec-subresource-integrity/, which is incredibly dry! |
Is there still interest for this? I'd like hash-based cache busting. SRI is nice in theory too, but practically only useful for external resources (which zola couldn't hash during compilation). |
IMO this is still relevant. |
I would like a PR for that. |
I'll try to make a PR within the next couple of days. |
Cache-busting was previously done with a compile-time timestamp. Change to the SHA-256 hash of the file to avoid refreshing unchanged files. The implementation could be used to add a new global fn (say, get_file_hash) for subresource integrity use, but that's for another commit. Fixes getzola#519.
Cache-busting was previously done with a compile-time timestamp. Change to the SHA-256 hash of the file to avoid refreshing unchanged files. The implementation could be used to add a new global fn (say, get_file_hash) for subresource integrity use, but that's for another commit. Fixes getzola#519.
You know, I got all excited because I saw some activity on this ticket and punted on doing some work to my hugo site because I thought, yay, they're tackling this finally! Hugo's template system is just as insane as golang, and migrating my fledgling site would be a worthwhile yak shave. But the PR that closed this issue does not provide the desired feature. It changes the cache busting mechanism. There's still no way for me to fill out the value of an |
|
The SRI spec says SHA-256, -384 and -512 MUST be supported by browsers IIRC. But SHA-384 is generally recommended and used for some reason. I think it'd make sense to let the user choose between those three hashes. |
I can make another PR for this. I didn't include it in the original one because I wasn't whether anyone would use it (and whether the project would want it). |
Let's start with just SHA-384, unless they are all coming from the same crate. |
They're all from the sha-2 crate which we already depend on. |
While working on SRI support I realized I basically broke all cache-busting in my previous PR, as now I've got |
|
|
There is a |
|
Correct, so I think the current implementation of |
Yeah, I agree. |
Just make it an argument of the |
Why not! Given that I don't see any scenario in which returning the raw binary value of the hash could be exploitable in Markdown / HTML, I suggest that the additional parameter, when set to Something like: // Returns 'fa6bad40f388d8f12525971a9d60a05797ee69b34bdb929b08a3c8ce1dc1c39116088286bf62e43b2435394f501964b1'.
get_file_hash(path="js/app.js", sha_type=384)
// Returns '+mutQPOI2PElJZcanWCgV5fuabNL25KbCKPIzh3Bw5EWCIKGv2LkOyQ1OU9QGWSx'.
get_file_hash(path="js/app.js", sha_type=384, base64=true) What do you think? |
Yep sounds good |
I'm working on the PR but there is something I don't get about the
According to this piece of code, the test functions compute the hash values of a file named For example with SHA256:
And according to the related unit test:
Am I missing something here? |
it's just the newline that changes the hash |
I actually thought about it but strangely, when I added a new line with Vim, it didn't get the right hash value. Thanks anyway. I know the issue comes from me now. |
PR created: #1339. I'm updating the documentation. |
…1339) * Add support for base64-encoded hash values The global template function 'get_file_hash' can now return a base64-encoded hash value when its 'base64' parameter is set to true. See discussion in #519. * Fix integrity attribute's value in test site SRI hash values must be base64-encoded. * Update documentation about 'get_file_hash' * Fix 'can_get_hash_for_static_files' unit test
This allows users to set extremely high caching values for their CSS and assets without worrying about poor UX whenever an update to said assets is made. Note: Can't add this for JS assets yet, the cachebusting logic is broken, see getzola/zola#1416 Ref: * https://www.getzola.org/documentation/templates/overview/#get-url * getzola/zola#519
It'd be nice if there were a way of accessing a fingerprint or hash of static files, for a more reliable way of caching assets.
I've given this a bit of thought, and probably need some input.
Ideally, it'd just be an additional function, say
get_static
, which returned a structure which contained the path, fingerprinted URL, hash, things like that. Because this requires the static files to exist before running, it would also serve as a link checker. However, What do we do about live reloading? When editing a static file, we'd either need to keep track of the linked resources per page, and only reload the linked pages, or just reload the whole site. (The latter is so much easier!)I see no reason why this couldnt work for any static file in the site, eg images. It wouldnt play well with images after they've been processed, but static images should work fine!
The text was updated successfully, but these errors were encountered: