From 82e5008506316076c77e1ec659d423c15a50283f Mon Sep 17 00:00:00 2001 From: ilyalyo Date: Tue, 28 Mar 2017 21:38:02 +0530 Subject: [PATCH] Check for SRI/CORS in CSS files --- lib/html-proofer/check/links.rb | 11 +++++++ spec/html-proofer/fixtures/css/empty.css | 0 .../fixtures/links/cors_not_provided.html | 7 +++++ .../integrity_and_cors_not_provided.html | 7 +++++ .../links/integrity_and_cors_provided.html | 7 +++++ .../links/integrity_not_provided.html | 7 +++++ .../fixtures/links/local_stylesheet.html | 7 +++++ spec/html-proofer/links_spec.rb | 30 +++++++++++++++++++ 8 files changed, 76 insertions(+) create mode 100644 spec/html-proofer/fixtures/css/empty.css create mode 100644 spec/html-proofer/fixtures/links/cors_not_provided.html create mode 100644 spec/html-proofer/fixtures/links/integrity_and_cors_not_provided.html create mode 100644 spec/html-proofer/fixtures/links/integrity_and_cors_provided.html create mode 100644 spec/html-proofer/fixtures/links/integrity_not_provided.html create mode 100644 spec/html-proofer/fixtures/links/local_stylesheet.html diff --git a/lib/html-proofer/check/links.rb b/lib/html-proofer/check/links.rb index 37f1f81e..061f4fe7 100644 --- a/lib/html-proofer/check/links.rb +++ b/lib/html-proofer/check/links.rb @@ -40,6 +40,7 @@ def run next if @link.non_http_remote? if !@link.internal? && @link.remote? + check_sri(line, content) if @link.check_sri? # we need to skip these for now; although the domain main be valid, # curl/Typheous inaccurately return 404s for some links. cc https://git.io/vyCFx next if @link.try(:rel) == 'dns-prefetch' @@ -116,6 +117,16 @@ def hash_check(html, href_hash) XpathFunctions.new).length > 0 end + def check_sri(line, content) + if !defined? @link.integrity and !defined? @link.crossorigin + add_issue("SRI and CORS not provided in: #{@link.src}", line: line, content: content) + elsif !defined? @link.integrity + add_issue("Integrity is missing in: #{@link.src}", line: line, content: content) + elsif !defined? @link.crossorigin + add_issue("CORS not provided for external resource in: #{@link.src}", line: line, content: content) + end + end + class XpathFunctions def case_insensitive_equals(node_set, str_to_match) node_set.find_all {|node| node.to_s.downcase == str_to_match.to_s.downcase } diff --git a/spec/html-proofer/fixtures/css/empty.css b/spec/html-proofer/fixtures/css/empty.css new file mode 100644 index 00000000..e69de29b diff --git a/spec/html-proofer/fixtures/links/cors_not_provided.html b/spec/html-proofer/fixtures/links/cors_not_provided.html new file mode 100644 index 00000000..51520d61 --- /dev/null +++ b/spec/html-proofer/fixtures/links/cors_not_provided.html @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/spec/html-proofer/fixtures/links/integrity_and_cors_not_provided.html b/spec/html-proofer/fixtures/links/integrity_and_cors_not_provided.html new file mode 100644 index 00000000..33cd5b61 --- /dev/null +++ b/spec/html-proofer/fixtures/links/integrity_and_cors_not_provided.html @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/spec/html-proofer/fixtures/links/integrity_and_cors_provided.html b/spec/html-proofer/fixtures/links/integrity_and_cors_provided.html new file mode 100644 index 00000000..2a125a6f --- /dev/null +++ b/spec/html-proofer/fixtures/links/integrity_and_cors_provided.html @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/spec/html-proofer/fixtures/links/integrity_not_provided.html b/spec/html-proofer/fixtures/links/integrity_not_provided.html new file mode 100644 index 00000000..090cb125 --- /dev/null +++ b/spec/html-proofer/fixtures/links/integrity_not_provided.html @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/spec/html-proofer/fixtures/links/local_stylesheet.html b/spec/html-proofer/fixtures/links/local_stylesheet.html new file mode 100644 index 00000000..6b7a2997 --- /dev/null +++ b/spec/html-proofer/fixtures/links/local_stylesheet.html @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/spec/html-proofer/links_spec.rb b/spec/html-proofer/links_spec.rb index 2079e57a..185aa1f1 100644 --- a/spec/html-proofer/links_spec.rb +++ b/spec/html-proofer/links_spec.rb @@ -510,4 +510,34 @@ proofer = run_proofer(hash_href, :file, { :allow_hash_href => true }) expect(proofer.failed_tests.length).to eq 0 end + + it 'SRI and CORS not provided' do + file = "#{FIXTURES_DIR}/links/integrity_and_cors_not_provided.html" + proofer = run_proofer(file, :file, {:check_sri => true}) + expect(proofer.failed_tests.first).to match(%r{SRI and CORS not provided}) + end + + it 'SRI not provided' do + file = "#{FIXTURES_DIR}/links/cors_not_provided.html" + proofer = run_proofer(file, :file, {:check_sri => true}) + expect(proofer.failed_tests.first).to match(%r{CORS not provided}) + end + + it 'CORS not provided' do + file = "#{FIXTURES_DIR}/links/integrity_not_provided.html" + proofer = run_proofer(file, :file, {:check_sri => true}) + expect(proofer.failed_tests.first).to match(%r{Integrity is missing}) + end + + it 'SRI and CORS provided' do + file = "#{FIXTURES_DIR}/links/integrity_and_cors_provided.html" + proofer = run_proofer(file, :file, {:check_sri => true}) + expect(proofer.failed_tests).to eq [] + end + + it 'not checking local scripts' do + file = "#{FIXTURES_DIR}/links/local_stylesheet.html" + proofer = run_proofer(file, :file, {:check_sri => true}) + expect(proofer.failed_tests).to eq [] + end end