Tags are injected with integrity="undefined" on v1.5.0
See original GitHub issueI’m on Webpack 4.44.2 and noticed after upgrading to this plugin’s v1.5.0 release that injected tags have an undefined
integrity. Tags inserted via html-webpack-plugin have the correct integrity, but dynamically injected tags use undefined
and the integrity check is bypassed.
Here’s what Firefox prints:
The script element has a malformed hash in its integrity attribute: "undefined". The correct format is "<hash algorithm>-<hash value>".
There are no errors or warnings printed during Webpack’s build.
Downgrading to 1.4.1 fixes this issue so I’m assuming it’s related to the changes that added Webpack 5 support in 1.5.0.
Issue Analytics
- State:
- Created 3 years ago
- Comments:14
Top Results From Across the Web
javascript - JQuery - $ is not defined - Stack Overflow
Regarding your code block, $(document) won't work either unless you have a script tag including jQuery before that statement... – ...
Read more >Subresource Integrity For Es6 Import Or Worker - ADocLib
I'm on Webpack 4.44.2 and noticed after upgrading to this plugin's v1.5.0 release that injected tags have an undefined integrity.
Read more >So you thought you were safe using AngularJS. . . . Think again!
Injected content can abuse Angular to execute code despite the CSP ... https://blogs.synopsys.com/software-integrity/2016/12/28/angularjs-1-6-0-sandbox/ ...
Read more >Contexts — Phoenix v1.5.0 - HexDocs
Since our Accounts module already exists, Phoenix knows to inject our code ... By using a database constraint, we enforce data integrity at...
Read more >CWE-79: Improper Neutralization of Input During Web Page ...
"XSS" is a common abbreviation for Cross-Site Scripting. HTML Injection: "HTML injection" is used as a synonym of stored (Type 2) XSS. CSS:....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Ok, I’ve spent some time reflecting on what went wrong here, and the bottom line is:
I’m planning to take the following steps to reduce the likelihood of something like this happening again:
In addition, time permitting, I’m thinking of starting work on a version 2.0.0 that would be a rewrite in Typescript, and drop compatibility with Webpack < 5 (and probably also html-webpack-plugin < 5) which would further help to improve code quality by reducing footprint.
We’re also going to establish a security policy, including a communications channel that can be used for reporting security issues privately.
@jscheid that sounds awesome 😃
I talked to the webpack core team and they told me that they will probably provide us with additional stages so that we can built the html at time where the css & js files have been optimized and you can generate the correct hashes…
I’ll keep you posted 😃