SRI support #235
SRI support #235
Conversation
|
Excellent ! Adding to the list of things to do:
|
| @@ -128,6 +128,10 @@ public void setType(final String type) { | |||
| this.setAttribute("type", type); | |||
| } | |||
|
|
|||
| public String getIntegrity() { | |||
| return this.getAttribute("integrity"); | |||
There was a problem hiding this comment.
Also, make the function private, unless public is necessary.
| @@ -108,6 +108,10 @@ public void setType(final String type) { | |||
| this.setAttribute("type", type); | |||
| } | |||
|
|
|||
| public String getIntegrity() { | |||
| return this.getAttribute("integrity"); | |||
| } | |||
There was a problem hiding this comment.
minor: check indent
also check visibility (private / public)
| logger.warning("Unable to parse CSS. URI=[" + cssURI + "]. Response status was " + status + "."); | ||
| return getEmptyStyleSheet(); | ||
| } | ||
| */ |
| import java.util.Map; | ||
| import java.util.stream.Collectors; | ||
|
|
||
| public class AlgorithmDigest implements Comparable<AlgorithmDigest> { |
There was a problem hiding this comment.
check visibility of class: package private / public
Also make it final.
| public static boolean validate(final byte[] input, final String integrity) { | ||
|
|
||
| final List<AlgorithmDigest> algDigests = parseMetadata(integrity); | ||
| System.out.println("Strongest algorithms: " + algDigests); |
| System.out.println("The value of the integrity attribute is: " + integrity); | ||
|
|
||
| if (algDigests == null) | ||
| return true; |
There was a problem hiding this comment.
code style: surround with braces.
For a classic example of the problem that braces protect against, see: https://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/
| private static List<AlgorithmDigest> getHashes(final String[] tokens) { | ||
| final List<AlgorithmDigest> hashes = new ArrayList<AlgorithmDigest>(); | ||
|
|
||
| for (int i = 0; i < tokens.length; i++) { |
There was a problem hiding this comment.
Try converting to enhanced for loop. In eclipse Ctrl 1 should suggest it automatically.
| } catch (final Exception e) { | ||
| System.out.println("Exception: " + e.getMessage()); | ||
| } | ||
| return ""; |
There was a problem hiding this comment.
I think it is better to return null on failure, instead of empty string.
| @@ -251,7 +256,7 @@ private void setResponse(final ClientletResponse response) { | |||
| } | |||
| try { | |||
| this.changeReadyState(NetworkRequest.STATE_LOADING); | |||
| final LocalResponse newResponse = new LocalResponse(response); | |||
| LocalResponse newResponse = new LocalResponse(response); //was final before | |||
There was a problem hiding this comment.
Looks like it can be converted back to final.
…oved all debug prints.
The following actions take place: - If response is from cache, it undergoes integrity check. - If response fails integrity check, it is not added to cache.
Used the predefined functional interface Consumer<T> instead of Valid. The latter has been deleted. setResponse now takes Consumer<Boolean> as a parameter and calls accept() instead of returning a boolean value.
| final Runnable runnable = () -> { | ||
| if (response.isFromCache()) { | ||
| final Object cachedResponse = response.getTransientCachedObject(); | ||
| if (cachedResponse instanceof CacheableResponse) { | ||
| System.out.println("Cached response for " + response.getResponseURL()); |
| } | ||
|
|
||
| /* | ||
| * (non-Javadoc) | ||
| * | ||
| * @see net.sourceforge.xamj.http.RequestHandler#handleProgress(int, | ||
| * java.net.URL, int, int) | ||
| *void java.net.URL, int, int) |
There was a problem hiding this comment.
this looks like an accidental change
| @@ -97,7 +98,7 @@ public boolean handleException(final ClientletResponse response, final Throwable | |||
| * .ClientletResponse) | |||
| */ | |||
| @Override | |||
| public void processResponse(final ClientletResponse response) throws ClientletException, IOException { | |||
| public void processResponse(final ClientletResponse response, Consumer<Boolean> consumer) throws ClientletException, IOException { | |||
There was a problem hiding this comment.
In all these other processResponse implementations, the response is "valid", so you will have to call consumer.accept(true) somewhere in the function (most likely at the end of the function).
| * @param userName | ||
| * The HTTP authentication user name. | ||
| * @param integrity | ||
| * Integrity value to be checked. |
There was a problem hiding this comment.
This also looks like a spurious change.
Accidental and spurious changes undone. Added calls to consumer.accept(true) where absent.
Closes #234
This provides partial support for Subresource Integrity.
The following are yet to be considered: