diff --git a/system/blueprints/config/system.yaml b/system/blueprints/config/system.yaml
index 538fd08f5..8d5ca4e91 100644
--- a/system/blueprints/config/system.yaml
+++ b/system/blueprints/config/system.yaml
@@ -1005,6 +1005,17 @@ form:
0: PLUGIN_ADMIN.NO
validate:
type: bool
+
+ assets.enable_asset_sri:
+ type: toggle
+ label: PLUGIN_ADMIN.ENABLED_SRI_ON_ASSETS
+ help: PLUGIN_ADMIN.ENABLED_SRI_ON_ASSETS_HELP
+ highlight: 0
+ options:
+ 1: PLUGIN_ADMIN.YES
+ 0: PLUGIN_ADMIN.NO
+ validate:
+ type: bool
assets.collections:
type: multilevel
diff --git a/system/config/system.yaml b/system/config/system.yaml
index 5c29a7869..764c04886 100644
--- a/system/config/system.yaml
+++ b/system/config/system.yaml
@@ -127,6 +127,7 @@ assets: # Configuration for Assets Mana
js_pipeline_before_excludes: true # Render the pipeline before any excluded files
js_minify: true # Minify the JS during pipelining
enable_asset_timestamp: false # Enable asset timestamps
+ enable_asset_sri: false # Enable asset SRI
collections:
jquery: system://assets/jquery/jquery-2.x.min.js
diff --git a/system/src/Grav/Common/Assets/BaseAsset.php b/system/src/Grav/Common/Assets/BaseAsset.php
index 579b1f943..423c84236 100644
--- a/system/src/Grav/Common/Assets/BaseAsset.php
+++ b/system/src/Grav/Common/Assets/BaseAsset.php
@@ -10,6 +10,7 @@
namespace Grav\Common\Assets;
use Grav\Common\Assets\Traits\AssetUtilsTrait;
+use Grav\Common\Config\Config;
use Grav\Common\Grav;
use Grav\Common\Uri;
use Grav\Common\Utils;
@@ -171,6 +172,31 @@ abstract class BaseAsset extends PropertyObject
return $this;
}
+
+ /**
+ * Receive asset location and return the SRI integrity hash
+ *
+ * @param $input
+ *
+ * @return string
+ */
+ public static function integrityHash( $input )
+ {
+ $grav = Grav::instance();
+
+ $assetsConfig = $grav['config']->get('system.assets');
+
+ if ( !empty($assetsConfig['enable_asset_sri']) && $assetsConfig['enable_asset_sri'] )
+ {
+ $dataToHash = file_get_contents( GRAV_ROOT . $input);
+
+ $hash = hash('sha256', $dataToHash, true);
+ $hash_base64 = base64_encode($hash);
+ return ' integrity="sha256-' . $hash_base64 . '"';
+ }
+
+ return '';
+ }
/**
diff --git a/system/src/Grav/Common/Assets/Css.php b/system/src/Grav/Common/Assets/Css.php
index b1f0a488b..4c6a9c9b0 100644
--- a/system/src/Grav/Common/Assets/Css.php
+++ b/system/src/Grav/Common/Assets/Css.php
@@ -47,6 +47,6 @@ class Css extends BaseAsset
return "\n";
}
- return 'renderAttributes() . ">\n";
+ return 'renderAttributes() . $this->integrityHash($this->asset) . ">\n";
}
}
diff --git a/system/src/Grav/Common/Assets/Js.php b/system/src/Grav/Common/Assets/Js.php
index 9946bd8b4..fc2a472fd 100644
--- a/system/src/Grav/Common/Assets/Js.php
+++ b/system/src/Grav/Common/Assets/Js.php
@@ -43,6 +43,6 @@ class Js extends BaseAsset
return '\n";
}
- return '\n";
+ return '\n";
}
}
diff --git a/system/src/Grav/Common/Assets/Pipeline.php b/system/src/Grav/Common/Assets/Pipeline.php
index 9b44fd840..7aef0e145 100644
--- a/system/src/Grav/Common/Assets/Pipeline.php
+++ b/system/src/Grav/Common/Assets/Pipeline.php
@@ -9,6 +9,7 @@
namespace Grav\Common\Assets;
+use Grav\Common\Assets\BaseAsset;
use Grav\Common\Assets\Traits\AssetUtilsTrait;
use Grav\Common\Config\Config;
use Grav\Common\Grav;
@@ -148,7 +149,7 @@ class Pipeline extends PropertyObject
$output = "\n";
} else {
$this->asset = $relative_path;
- $output = 'renderAttributes() . ">\n";
+ $output = 'renderAttributes() . BaseAsset::integrityHash($this->asset) . ">\n";
}
return $output;
@@ -211,7 +212,7 @@ class Pipeline extends PropertyObject
$output = '\n";
} else {
$this->asset = $relative_path;
- $output = '\n";
+ $output = '\n";
}
return $output;