Feature: Introduce subresource integrity checks (SRI) for frontend assets (#100983)

* feat(featuremgmt): introduce feature toggle for enabling sri checks * feat(frontend): use assetSriChecks feature toggle to inject integrity hash into script tags * chore(webpack): align sri algorithms across dev and prod builds * docs(featuremgmt): update assetSriChecks to pass CI * docs(featuremgmt): fix more spelling complaints with assetSriChecks * Add crossorigin attribute * chore(webpack): add subresource-integrity plugin * build(webpack): wrap webpack jsonp loader integrity checks in feature flag checks * revert(index.html): remove crossorigin attribute if assertSriChecks is disabled --------- Co-authored-by: Kristian Bremberg <kristian.bremberg@grafana.com>
2025-09-18 05:02:51 +08:00 · 2025-03-04 11:56:35 +01:00
parent bf9a34f2ca
commit bbfeb8d220
13 changed files with 141 additions and 7 deletions
--- a/scripts/webpack/webpack.dev.js
+++ b/scripts/webpack/webpack.dev.js
@ -149,6 +149,7 @@ module.exports = (env = {}) => {
      new WebpackAssetsManifest({
        entrypoints: true,
        integrity: true,
+        integrityHashes: ['sha384', 'sha512'],
        publicPath: true,
      }),
      new WebpackBar({