Add support for integrity hashes

[Lyrkan]

This PR allows to automatically add integrity attributes on <script> and <link> tags based on the content of the entrypoints.json file (related to the following PR on Encore: symfony/webpack-encore#522).

It requires the following configuration:

// webpack.config.js
// Enable it for all builds with the
// default hash algorithm (sha384)
Encore.enableIntegrityHashes();

// Or enable it only in production
// with a custom hash algorithm
Encore.enableIntegrityHashes(
    Encore.isProduction(),
    'sha384'
);

// Or with multiple hash algorithms
Encore.enableIntegrityHashes(
    Encore.isProduction(),
    ['sha384','sha512']
);

Then, calling yarn encore then generates an entrypoints.json that contains hashes for all the files it references:

{
  "entrypoints": {
    // (...)
  },
  "integrity": {
    "/build/runtime.fa8f03f5.js": "sha384-5WSgDNxkAY6j6/bzAcp3v//+PCXLgXCU3u5QgRXWiRfMnN4Ic/a/EF6HJnbRXik8",
    "/build/0.b70b772e.js": "sha384-FA3+8ecenjmV1Y751s0fKxGBNtyLBA8hDY4sqFoqvsCPOamLlA5ckhRBttBg1esp",
    // (...)
  }
}

And these hashes are automatically added when calling encore_entry_script_tags and encore_entry_link_tags:

<html lang="en">
  <head>
    <!-- ... -->
    <link rel="stylesheet" href="/build/css/app.2235bc2d.css" integrity="sha384-Jmd35HF93DFCXjisVeMi6U3lniH/mOdAF6wLtOMqhYMh2ZiBRUdtF7jXB55IAKfm">
    <!-- ... -->
  </head>
  <body id="homepage">
    <!-- ... -->
    <script src="/build/runtime.fa8f03f5.js" integrity="sha384-5WSgDNxkAY6j6/bzAcp3v//+PCXLgXCU3u5QgRXWiRfMnN4Ic/a/EF6HJnbRXik8"></script>
    <script src="/build/0.b70b772e.js" integrity="sha384-FA3+8ecenjmV1Y751s0fKxGBNtyLBA8hDY4sqFoqvsCPOamLlA5ckhRBttBg1esp"></script>
    <!-- ... -->
  </body>
</html>

An example using Symfony Demo can be found here: Lyrkan/symfony-demo@91a06cd

[weaverryan]

@Lyrkan What do you think about not making this optional? What I mean is, we always look for the integrity key. And if it is present, we add the integrity attribute. If not, we skip it. I think we can avoid the added option, because you've already "opted into it" by activating it in Encore.

[Lyrkan]

@weaverryan I removed the toggle and no integrity key is now the same thing than integrity: {}.

I also made some changes in order to support the latest version of symfony/webpack-encore#522 (that allows to generate multiple hashes per file) and updated the demo link of my first post :)

[weaverryan]

Minor stuff! Then it'll be ready for merge!

[weaverryan]

Awesome! Thank you @Lyrkan!

[endelwar]

I'm getting a little warning in PHPStorm about boolean!= bool

[Lyrkan]

@endelwar My bad for that one, wrong JSDoc type!

I just pushed a fix in Encore, it'll be part of the next release (but you can safely ignore that warning for now).