Add Subresource Integrity Generator

[vzool]

This PR uses gulp-sri-hash plugin on a build tool called gulp to force SRI Hash on js,css files when received by html files, gulp can be installed globally with this command:

npm install --global gulp-cli

Don't forget to run npm install to update dev dependencies.
gulp will update html files with recommended coding style and update SRI Hash automatically if necessary.
So, for any new future changes to js,css files contents then you just need to run:

gulp

Finally, for future development just gulp, Commit and Push. 😋✌️

[zigazajc007]

We also need to add Nonce-based strict CSP or Hash-based strict CSP. As Passky Website is client side only, we would need to use Hash-based strict CSP.

https://web.dev/strict-csp/

[zigazajc007]

CSP is already provided in _headers file and it is not recommended to use CSP inside HTML. It should be provided by Nginx / Apache (Web Server)

[vzool]

CSP is already provided in _headers file and it is not recommended to use CSP inside HTML. It should be provided by Nginx / Apache (Web Server)

I think if it does provide on both sides it will be better, so zero trust means every party must always verify. 🤗

[zigazajc007]

CSP is already provided in _headers file and it is not recommended to use CSP inside HTML. It should be provided by Nginx / Apache (Web Server)

I think if it does provide on both sides it will be better, so zero trust means every party must always verify. hugs

Would need to check / make a research about the disadvantages on providing CSP in both ways.

[vzool]

Would need to check / make a research about the disadvantages on providing CSP in both ways.

Of course there is one issue which is an advantage also, website will no longer work with HTTP when access a deployment on LAN (http://192.168.x.x), and that's an excellent thing.
So, the solution is by providing Self-Singed certificate which is better than a plain-text and access LAN deployment by (https://192.168.x.x). 🤗
Even, all browser will just give certificate error with the option to ignore and continue surving the website. 😋✌️

[vzool]

We also need to add Nonce-based strict CSP or Hash-based strict CSP. As Passky Website is client side only, we would need to use Hash-based strict CSP.

https://web.dev/strict-csp/

Done 😋✌️

[vzool]

Now if you try to inject any code like:

let script = document.createElement("script");
script.innerHTML = "alert('YOU HAVE BEEN HACKED');";
document.body.appendChild(script);

It will not allow you to do that anymore, this is too delicious. 😋✌️

[vzool]

This is the current status 🙈

[zigazajc007]

Would need to check / make a research about the disadvantages on providing CSP in both ways.

Of course there is one issue which is an advantage also, website will no longer work with HTTP when access a deployment on LAN (http://192.168.x.x), and that's an excellent thing. So, the solution is by providing Self-Singed certificate which is better than a plain-text and access LAN deployment by (https://192.168.x.x). hugs Even, all browser will just give certificate error with the option to ignore and continue surving the website. yumv

Sadly this won't be possible because of Umbrel and also Tor. Both Umbrel and Tor operate on HTTP.

[vzool]

Sadly this won't be possible because of Umbrel and also Tor. Both Umbrel and Tor operate on HTTP.

I'm not sure why Umbrel supposes that a LAN network is always safe, in fact, it is never safe. Any network attached to the internet it is not safe anymore. I tested Umbrel before and it is still not stable.
So, I think it is fine for Passky to go with Umbrel on HTTPS and later on Tor. 🤔

[zigazajc007]

Sadly this won't be possible because of Umbrel and also Tor. Both Umbrel and Tor operate on HTTP.

I'm not sure why Umbrel supposes that a LAN network is always safe, in fact, it is never safe. Any network attached to the internet it is not safe anymore. I tested Umbrel before and it is still not stable. So, I think it is fine for Passky to go with Umbrel on HTTPS and later on Tor. thinking

Umbrel manage certificates on their own, so we would probably need to wait for them to add support first. LAN network is not always safe, but is a lot safer than hosting Passky Server on the internet, as everyone has access to it.

[vzool]

Umbrel manage certificates on their own, so we would probably need to wait for them to add support first. LAN network is not always safe, but is a lot safer than hosting Passky Server on the internet, as everyone has access to it.

gulp building script has been expanded to export extra resources for "insecure HTTP protocol" at the directory:
Passky-Website/dist/http which can be used to build the image for Umbrel.
But, dist/http directory is not tracked by git so you can type gulp to generate all the files, or just call ./publish_for_http.sh from the terminal which will transform the secure HTTPS web app to work with "insecure HTTP protocol". 😋✌️

[vzool]

BTW, on the HTTP side integrity and CSP still works but without the need for the HTTPS channel which will not be required anymore for the transformed app on dist/http, and the original app still force HTTPS.
Now, we can support the best of the two worlds. 🤗