Generate the integrity hash from compiled asset content

rafaelfranca · rafaelfranca · commit 06786e45eea5 · 2025-07-08T17:35:31.000Z
diff --git a/lib/propshaft/resolver/dynamic.rb b/lib/propshaft/resolver/dynamic.rb
@@ -16,7 +16,7 @@ def integrity(logical_path)
       hash_algorithm = load_path.integrity_hash_algorithm
 
       if hash_algorithm && (asset = find_asset(logical_path))
-        asset.integrity(hash_algorithm:)
+        generate_integrity(asset, hash_algorithm:)
       end
     end
 
@@ -30,5 +30,25 @@ def read(logical_path, options = {})
       def find_asset(logical_path)
         load_path.find(logical_path)
       end
+
+      def generate_integrity(asset, hash_algorithm:)
+        # Following the Subresource Integrity spec draft
+        # https://w3c.github.io/webappsec-subresource-integrity/
+        # allowing only sha256, sha384, and sha512
+        bitlen = case hash_algorithm
+          when "sha256"
+            256
+          when "sha384"
+            384
+          when "sha512"
+            512
+          else
+            raise(StandardError.new("Subresource Integrity hash algorithm must be one of SHA2 family (sha256, sha384, sha512)"))
+          end
+
+        content = load_path.compilers.compile(asset)
+
+        [hash_algorithm, Digest::SHA2.new(bitlen).base64digest(content)].join("-")
+      end
   end
 end
