Include JavaScript file hashes in entrypoints.json for hash & nonce attributes (CSP)

[weaverryan]

Hi guys!

This is an idea that I've just been talking to a few people about: in the entrypoints.json, what if we output the file hashes for all of the JavaScript files? For example:

{
  "app": {
    "js": [
      "build/runtime.js",
      "build/vendors~a33029de.js",
      "build/app.js"
    ],
    "css": [
      "build/vendors~ea1103fa.css",
      "build/app.css"
    ]
  },
  "checkout": {
    "js": [
      "build/runtime.js",
      "build/vendors~a33029de.js",
      "build/checkout.js"
    ],
    "css": [
      "build/checkout.css"
    ]
  },
  "_hashes": {
    "build/runtime.js": "oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC",
    "build/vendors~a33029de.js": "oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC",
    "build/app.js": "oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC",
    "build/checkout.js: "oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  }
}

I am far from a security expert, but as I understand it, this would give us 2 possible security-related possibilities - especially when used with the new Twig function in WebpackEncore bundle that outputs your script tags automatically (https://github.com/symfony/webpack-encore-bundle):

1. A integrity= attribute for Subresource integrity (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)

2. A nonce= attribute (set to the same hash), which would allow you to use a CSP that requires nonces for all script tags (a very strict policy). The server could also read these hash values for the CSP header.

Questions:

A) Good idea? Bad idea?
B) Is the integrity= something that's valuable for "self" script/link tags?

[stof]

nonce should not use a hash of the file as the value (as the same value would be used multiple times).

[frankdejonge]

A little extra context for @stof's comment: For the nonce we need to hash of the individual chunk not from the build.

[stof]

no, for the nonce, you need a generated value (a nonce is meant to be used only once)

[frankdejonge]

I meant for the CSP header.

[stof]

If you use a nonce in the CSP header, it must be a generated value you change each time, not a static value. Otherwise, a XSS could have a valid nonce on it by using your static value (defeating the point of the CSP)

[Lyrkan]

I like the idea.

As stof said it can't be used for the nonce attribute, but it would definitely be useful for integrity.

What I like a bit less though is the special _hashes key... I think having something like this would be preferable:

{
	"entrypoints": {
		"app": {
			"js": [
				"build/runtime.js",
				"build/vendors~a33029de.js",
				"build/app.js"
			],
			"css": [
				"build/vendors~ea1103fa.css",
				"build/app.css"
			]
		},
		"checkout": {
			"js": [
				"build/runtime.js",
				"build/vendors~a33029de.js",
				"build/checkout.js"
			],
			"css": [
				"build/checkout.css"
			]
		}
	},
	"hashes": {
		"build/runtime.js": "oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC",
		"build/vendors~a33029de.js": "oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC",
		"build/app.js": "oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC",
		"build/checkout.js": "oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
	}
}

[Phobetor]

Having the integrity hashes would be a great improvement.