[Bug]: SubresourceIntegrityPlugin ignoring remote connections instead of throwing an error

[nanianlisao]

What problem does this feature solve?

In some scenarios, JavaScript might be injected beforehand to link to third-party CDNs. Enabling SubresourceIntegrityPlugin in this case might cause errors. Is it possible to ignore these errors?

What does the proposed API of configuration look like?

Remote connections are ignored by default, or you can add the configuration option remote: boolean.

[LingyuCoder]

I can't understand exactly what the scenario you described is. Could you please explain it in more detail?
For example, how are the resources loaded and what is your expectation?

[nanianlisao]

In some scenarios, it's necessary to insert third-party JavaScript code, assuming this is achieved using the beforeAssetTagGeneration method of the html-webpack-plugin, for example:

hooks.beforeAssetTagGeneration.tapAsync('addRemote', async (data, cb) => {
  data.assets.js.unshift('https://xxx.xxx.js');
  cb(null, data);
});

When SRI is enabled, a hash is generated for all assets.js files. Is it possible to ignore remote JS files when retrieving the source (src) instead of throwing an error?

I tried using a hook like alterAssetTags to insert them, but when the user sets inject: false, not all JS files are retrieved.

[LingyuCoder]

I understand. Currently, in the interop with the html plugin, for all <script> tags, the SRI plugin will try to find the corresponding chunk assets of their resources and then read the files to calculate the integrity hash.

However, to the script tags that are not generated by chunks (such as the tags you inserted through html plugin hooks here) are not recognized, generating a wrong file path and causing an file-reading error. I encountered the same situation in the webpack-subresource-integrity plugin.

This is actually a bug. When processing script tags, if the src is a http: or https: url and it does not contain the output.publicPath, it should be skipped directly. So I'll try to fix this bug without adding any new option.