Check for SRI/CORS in CSS files

lib/html-proofer/check/links.rb

@@ -40,6 +40,7 @@ def run
       next if @link.non_http_remote?
 
       if !@link.internal? && @link.remote?
+        check_sri(line, content) if @link.check_sri?
         # we need to skip these for now; although the domain main be valid,
         # curl/Typheous inaccurately return 404s for some links. cc https://git.io/vyCFx
         next if @link.try(:rel) == 'dns-prefetch'
@@ -116,6 +117,16 @@ def hash_check(html, href_hash)
                XpathFunctions.new).length > 0
   end
 
+  def check_sri(line, content)
+    if !defined? @link.integrity and !defined? @link.crossorigin
+      add_issue("SRI and CORS not provided in: #{@link.src}", line: line, content: content)
+    elsif !defined? @link.integrity
+      add_issue("Integrity is missing in: #{@link.src}", line: line, content: content)
+    elsif !defined? @link.crossorigin
+      add_issue("CORS not provided for external resource in: #{@link.src}", line: line, content: content)
+    end
+  end
+
   class XpathFunctions
     def case_insensitive_equals(node_set, str_to_match)
       node_set.find_all {|node| node.to_s.downcase == str_to_match.to_s.downcase }

spec/html-proofer/fixtures/links/cors_not_provided.html

@@ -0,0 +1,7 @@
+<html>
+<head>
+    <link href="http://assets-cdn.github.com/assets/frameworks-5b61aadc846f0818981ceec31b49c475fb084c163fdec5efbc2c21ef539092a9.css" rel="stylesheet" />
+</head>
+<body>
+</body>
+</html>

spec/html-proofer/fixtures/links/integrity_and_cors_not_provided.html

@@ -0,0 +1,7 @@
+<html>
+<head>
+    <link href="https://assets-cdn.github.com/assets/frameworks-5b61aadc846f0818981ceec31b49c475fb084c163fdec5efbc2c21ef539092a9.css" rel="stylesheet" />
+</head>
+<body>
+</body>
+</html>

spec/html-proofer/fixtures/links/integrity_and_cors_provided.html

@@ -0,0 +1,7 @@
+<html>
+<head>
+    <link crossorigin="anonymous" href="http://assets-cdn.github.com/assets/frameworks-5b61aadc846f0818981ceec31b49c475fb084c163fdec5efbc2c21ef539092a9.css" integrity="sha256-W2Gq3IRvCBiYHO7DG0nEdfsITBY/3sXvvCwh71OQkqk=" rel="stylesheet" />
+</head>
+<body>
+</body>
+</html>

spec/html-proofer/fixtures/links/integrity_not_provided.html

@@ -0,0 +1,7 @@
+<html>
+<head>
+    <link crossorigin="anonymous" href="https://assets-cdn.github.com/assets/frameworks-5b61aadc846f0818981ceec31b49c475fb084c163fdec5efbc2c21ef539092a9.css" rel="stylesheet" />
+</head>
+<body>
+</body>
+</html>

spec/html-proofer/fixtures/links/local_stylesheet.html

@@ -0,0 +1,7 @@
+<html>
+<head>
+    <link href="../css/empty.css" rel="stylesheet" />
+</head>
+<body>
+</body>
+</html>

spec/html-proofer/links_spec.rb

@@ -510,4 +510,34 @@
     proofer = run_proofer(hash_href, :file, { :allow_hash_href => true })
     expect(proofer.failed_tests.length).to eq 0
   end
+
+  it 'SRI and CORS not provided' do
+    file = "#{FIXTURES_DIR}/links/integrity_and_cors_not_provided.html"
+    proofer = run_proofer(file, :file, {:check_sri => true})
+    expect(proofer.failed_tests.first).to match(%r{SRI and CORS not provided})
+  end
+
+  it 'SRI not provided' do
+    file = "#{FIXTURES_DIR}/links/cors_not_provided.html"
+    proofer = run_proofer(file, :file, {:check_sri => true})
+    expect(proofer.failed_tests.first).to match(%r{CORS not provided})
+  end
+
+  it 'CORS not provided' do
+    file = "#{FIXTURES_DIR}/links/integrity_not_provided.html"
+    proofer = run_proofer(file, :file, {:check_sri => true})
+    expect(proofer.failed_tests.first).to match(%r{Integrity is missing})
+  end
+
+  it 'SRI and CORS provided' do
+    file = "#{FIXTURES_DIR}/links/integrity_and_cors_provided.html"
+    proofer = run_proofer(file, :file, {:check_sri => true})
+    expect(proofer.failed_tests).to eq []
+  end
+
+  it 'not checking local scripts' do
+    file = "#{FIXTURES_DIR}/links/local_stylesheet.html"
+    proofer = run_proofer(file, :file, {:check_sri => true})
+    expect(proofer.failed_tests).to eq []
+  end
 end