Add tooling to generate SRI hashes for assets

Subresource integrity allows user agents to verify that a fetched resource has been delivered without unexpected manipulation[0]. I put theme assets in a json configuration file and save the hashes to a TOML file that Hugo loads via its theme data mechanism[1]. [0] https://www.w3.org/TR/SRI/ [1] https://gohugo.io/extras/datafiles/
2025-05-10 06:26:00 +02:00 · 2017-01-11 10:32:43 +02:00
parent c2d9b1ad74
commit 683755f95d
3 changed files with 30 additions and 1 deletions
--- a/build/assets.json
+++ b/build/assets.json
@ -0,0 +1,5 @@
+{
+  "style": "static/css/style.css",
+  "cookieconsentcss": "static/css/cookieconsent.min.css",
+  "cookieconsentjs": "static/js/cookieconsent.min.js"
+}
--- a/build/sri.js
+++ b/build/sri.js
@ -0,0 +1,23 @@
+// Adapted from: https://gist.github.com/jmervine/ae1bace0fe37dce75b90ec3e9592771c
+
+var crypto = require('crypto');
+var fs     = require('fs');
+var assets = require('./assets.json');
+
+var generate384 = function (file) {
+  var enc  = 'utf8';
+  var body = fs.readFileSync(file, { encoding: enc });
+  var hash = crypto.createHash('sha384').update(body, enc);
+  var sha  = hash.digest('base64');
+
+  return 'sha384-' + sha;
+}
+
+for (var asset in assets) {
+  var path = assets[asset];
+  var hash = generate384(path);
+
+  console.log(asset + ' = "' + hash + '"');
+}
+
+// vim: set ts=2 sw=2 et: