Add SRI support for Node.js Runtime #73891

unstubbable · 2024-12-13T10:33:38Z

Note

This PR is best reviewed with hidden whitespace changes.

Support for setting Subresource Integrity attributes on app router scripts was added in #39729. But this only covered pages using the Edge Runtime.

With this PR, we're adding support for app pages using the Node.js Runtime. The only change that's needed for that, and which was probably just an oversight in the original PR, is reading the generated manifest file in loadComponents.

In a follow-up we should also add support for adding the integrity attribute to client component chunks that are injected into the head during server-side rendering, but that needs a change in React first.

fixes #66901

ijjk · 2024-12-13T10:38:25Z

Tests Passed

ijjk · 2024-12-13T10:44:54Z

Stats from current PR

Default Build (Increase detected ⚠️)

General Overall increase ⚠️

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
buildDuration	18.5s	15.5s	N/A
buildDurationCached	14.8s	12.5s	N/A
nodeModulesSize	410 MB	410 MB	⚠️ +20.1 kB
nextStartRea..uration (ms)	473ms	477ms	N/A

Client Bundles (main, webpack)

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
1187-HASH.js gzip	50.9 kB	50.9 kB	N/A
8276.HASH.js gzip	169 B	168 B	N/A
8377-HASH.js gzip	5.36 kB	5.36 kB	N/A
bccd1874-HASH.js gzip	53 kB	53 kB	N/A
framework-HASH.js gzip	57.5 kB	57.5 kB	N/A
main-app-HASH.js gzip	232 B	235 B	N/A
main-HASH.js gzip	34.1 kB	34 kB	N/A
webpack-HASH.js gzip	1.71 kB	1.71 kB	N/A
Overall change	0 B	0 B	✓

Legacy Client Bundles (polyfills)

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
polyfills-HASH.js gzip	39.4 kB	39.4 kB	✓
Overall change	39.4 kB	39.4 kB	✓

Client Pages

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
_app-HASH.js gzip	193 B	193 B	✓
_error-HASH.js gzip	193 B	193 B	✓
amp-HASH.js gzip	512 B	510 B	N/A
css-HASH.js gzip	343 B	342 B	N/A
dynamic-HASH.js gzip	1.84 kB	1.84 kB	✓
edge-ssr-HASH.js gzip	265 B	265 B	✓
head-HASH.js gzip	363 B	362 B	N/A
hooks-HASH.js gzip	393 B	392 B	N/A
image-HASH.js gzip	4.49 kB	4.49 kB	N/A
index-HASH.js gzip	268 B	268 B	✓
link-HASH.js gzip	2.35 kB	2.34 kB	N/A
routerDirect..HASH.js gzip	328 B	328 B	✓
script-HASH.js gzip	397 B	397 B	✓
withRouter-HASH.js gzip	323 B	326 B	N/A
1afbb74e6ecf..834.css gzip	106 B	106 B	✓
Overall change	3.59 kB	3.59 kB	✓

Client Build Manifests

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
_buildManifest.js gzip	749 B	746 B	N/A
Overall change	0 B	0 B	✓

Rendered Page Sizes

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
index.html gzip	523 B	524 B	N/A
link.html gzip	538 B	538 B	✓
withRouter.html gzip	518 B	521 B	N/A
Overall change	538 B	538 B	✓

Edge SSR bundle Size

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
edge-ssr.js gzip	128 kB	128 kB	N/A
page.js gzip	204 kB	204 kB	N/A
Overall change	0 B	0 B	✓

Middleware size

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
middleware-b..fest.js gzip	670 B	668 B	N/A
middleware-r..fest.js gzip	155 B	156 B	N/A
middleware.js gzip	31.2 kB	31.2 kB	N/A
edge-runtime..pack.js gzip	844 B	844 B	✓
Overall change	844 B	844 B	✓

Next Runtimes

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
523-experime...dev.js gzip	322 B	322 B	✓
523.runtime.dev.js gzip	314 B	314 B	✓
app-page-exp...dev.js gzip	323 kB	323 kB	✓
app-page-exp..prod.js gzip	127 kB	127 kB	✓
app-page-tur..prod.js gzip	140 kB	140 kB	✓
app-page-tur..prod.js gzip	135 kB	135 kB	✓
app-page.run...dev.js gzip	313 kB	313 kB	✓
app-page.run..prod.js gzip	123 kB	123 kB	✓
app-route-ex...dev.js gzip	37.4 kB	37.4 kB	✓
app-route-ex..prod.js gzip	25.5 kB	25.5 kB	✓
app-route-tu..prod.js gzip	25.5 kB	25.5 kB	✓
app-route-tu..prod.js gzip	25.3 kB	25.3 kB	✓
app-route.ru...dev.js gzip	39 kB	39 kB	✓
app-route.ru..prod.js gzip	25.3 kB	25.3 kB	✓
pages-api-tu..prod.js gzip	9.69 kB	9.69 kB	✓
pages-api.ru...dev.js gzip	11.6 kB	11.6 kB	✓
pages-api.ru..prod.js gzip	9.68 kB	9.68 kB	✓
pages-turbo...prod.js gzip	21.7 kB	21.7 kB	✓
pages.runtim...dev.js gzip	27.4 kB	27.4 kB	✓
pages.runtim..prod.js gzip	21.7 kB	21.7 kB	✓
server.runti..prod.js gzip	916 kB	916 kB	N/A
Overall change	1.44 MB	1.44 MB	✓

build cache Overall increase ⚠️

	vercel/next.js canary	vercel/next.js hl/sri-node	Change
0.pack gzip	2.05 MB	2.05 MB	⚠️ +3.16 kB
index.pack gzip	73.4 kB	72.3 kB	N/A
Overall change	2.05 MB	2.05 MB	⚠️ +3.16 kB

Diff details

Diff for main-HASH.js

Diff too large to display

Diff for server.runtime.prod.js

Diff too large to display

Commit: 0cda604

darthmaim · 2024-12-13T11:09:56Z

This will fix

Subresource Integrity (SRI) not working #66901

In #73891 we added another manifest to be loaded in `loadComponents`. This uncovered a flakiness in prod mode when attempting to load an optional manifest. The non-existent manifest is attempted to be loaded three times with 100ms delay between attempts, before giving up. For some reason this increased loading time leads to more test flakiness. To mitigate this, we're limiting the retry behaviour to the dev mode, which matches the original intention when this was introduced in #45244.

In #73891 we added another manifest to be loaded in `loadComponents` (initially unconditionally). This uncovered a flakiness in prod mode when attempting to load an optional manifest. The non-existent manifest is attempted to be loaded three times with 100ms delay between attempts, before giving up. For some reason the increased loading time leads to more test flakiness. To mitigate this, we're limiting the retry behaviour to the dev mode, which matches the original intention when this was introduced in #45244.

Support for setting [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) attributes on app router scripts was added in #39729. But this only covered pages using the Edge Runtime. With this PR, we're adding support for pages using the Node.js Runtime. The only change that's needed for that, and which was probably just an oversight in the original PR, is reading the generated manifest file in `loadComponents`.

This reverts commit a3d27b2. This is not supported by Next.js yet, and will be added in a separate PR.

ijjk added created-by: Next.js team PRs by the Next.js team. tests type: next labels Dec 13, 2024

unstubbable mentioned this pull request Dec 13, 2024

Retry manifest file loading only in dev mode #73900

Merged

unstubbable force-pushed the hl/sri-node branch 2 times, most recently from 8395a2b to f7f6a52 Compare December 13, 2024 17:20

unstubbable marked this pull request as ready for review December 13, 2024 17:21

unstubbable requested a review from wyattjoh December 13, 2024 17:21

unstubbable added 5 commits December 14, 2024 00:20

Restore test behaviour from before #54752

73fc2d9

Revert "Restore test behaviour from before #54752"

b1a81b3

This reverts commit a3d27b2. This is not supported by Next.js yet, and will be added in a separate PR.

Only load SRI manifest if SRI is enabled

82e3e7c

Adjust error case expectation for PPR

0cda604

unstubbable force-pushed the hl/sri-node branch from f7f6a52 to 0cda604 Compare December 13, 2024 23:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add SRI support for Node.js Runtime #73891

Add SRI support for Node.js Runtime #73891

unstubbable commented Dec 13, 2024 •

edited

Loading

ijjk commented Dec 13, 2024 •

edited

Loading

ijjk commented Dec 13, 2024 •

edited

Loading

darthmaim commented Dec 13, 2024

Add SRI support for Node.js Runtime #73891

Are you sure you want to change the base?

Add SRI support for Node.js Runtime #73891

Conversation

unstubbable commented Dec 13, 2024 • edited Loading

ijjk commented Dec 13, 2024 • edited Loading

Tests Passed

ijjk commented Dec 13, 2024 • edited Loading

Stats from current PR

darthmaim commented Dec 13, 2024

unstubbable commented Dec 13, 2024 •

edited

Loading

ijjk commented Dec 13, 2024 •

edited

Loading

ijjk commented Dec 13, 2024 •

edited

Loading