fix: should match protocol-relative url of public path and tag src in SRI plugin#12265
Merged
LingyuCoder merged 1 commit intomainfrom Nov 24, 2025
Merged
Conversation
✅ Deploy Preview for rspack canceled.
|
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR fixes the Subresource Integrity (SRI) plugin to properly handle protocol-relative URLs (URLs starting with //) and ensure they're correctly matched against the configured publicPath regardless of whether one uses an explicit protocol (http: or https:) and the other doesn't.
Key Changes:
- Normalizes both tag source URLs and
publicPathto protocol-relative format for comparison - Applies SRI integrity attributes to resources that match the
publicPathregardless of protocol differences - Adds comprehensive test coverage for various protocol matching scenarios
Reviewed Changes
Copilot reviewed 6 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
packages/rspack/src/builtin-plugin/SubresourceIntegrityPlugin.ts |
Updated TypeScript implementation to normalize URLs by removing protocols before comparison and then restoring the publicPath protocol |
crates/rspack_plugin_sri/src/html.rs |
Updated Rust implementation with equivalent protocol normalization logic |
crates/rspack_plugin_sri/Cargo.toml |
Added once_cell dependency for lazy static regex initialization |
Cargo.lock |
Updated lock file with once_cell dependency |
tests/rspack-test/configCases/sri/remote-src-protocol/rspack.config.js |
Added comprehensive test cases covering all combinations of protocol-relative and explicit protocol URLs |
tests/rspack-test/configCases/sri/remote-src-protocol/test.config.js |
Added test configuration |
tests/rspack-test/configCases/sri/remote-src-protocol/index.js |
Added test entry point with dynamic import |
tests/rspack-test/configCases/sri/remote-src-protocol/chunk.js |
Added empty chunk file for dynamic import testing |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
LingyuCoder
commented
Nov 21, 2025
Contributor
📦 Binary Size-limit
❌ Size increased by 7.00KB from 47.63MB to 47.64MB (⬆️0.01%) |
CodSpeed Performance ReportMerging #12265 will not alter performanceComparing Summary
|
|
|
0b81102 to
d1fe4f0
Compare
hardfist
approved these changes
Nov 24, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Support protocol-relative url when match public path and tag src. Both the public path and tag src can be protocol-relative url. If they are matched, the SRI integrity hash should be found and add to the tag.
Originally posted by @nanianlisao in #12262 (comment)
Related links
Checklist