Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CHECKOUT-8519: Load scripts with integrity hashes to meet PCI4 requirements #2020

Merged
merged 1 commit into from
Sep 30, 2024
Merged

CHECKOUT-8519: Load scripts with integrity hashes to meet PCI4 requirements #2020

merged 1 commit into from
Sep 30, 2024

Conversation

davidchin
Copy link
Contributor

What?

Include integrity hashes in manifest.json to be added to the scripts and stylesheets used during checkout. Any script or stylesheet that doesn't match its corresponding subresource integrity hash (SRI) will not be executed.

Why?

To comply with the script integrity requirement (6.4.3) of PCI4, which ensures that scripts executed during checkout have not been tampered with by a malicious attacker.

Testing / Proof

Screenshot 2024-09-23 at 4 06 31 PM

@bigcommerce/team-checkout

@davidchin davidchin marked this pull request as ready for review September 23, 2024 06:34
@davidchin davidchin requested a review from a team as a code owner September 23, 2024 06:34
animesh1987
animesh1987 reviewed Sep 26, 2024
View reviewed changes
webpack.config.js
@@ -32,6 +36,7 @@ const BABEL_PRESET_ENV_CONFIG = {
useBuiltIns: 'usage',
modules: false,
};
const PRELOAD_ASSETS = ['billing', 'shipping', 'payment'];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this do? Does it mean we now load assets before we actually get on the step?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@animesh1987 We used to preload all assets listed in the dynamicChunks section of manifest.json. However, as manifest.json now includes the dynamic chunks for loader.js, which contains translation JSON files in various languages (e.g., translations-es-1.525.0.js), we need to limit preloading to only the necessary ones (billing, shipping and payment).

animesh1987
animesh1987 approved these changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@animesh1987 animesh1987 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me code wise 👍

@davidchin davidchin merged commit 63923ce into master Sep 30, 2024
12 checks passed
@davidchin davidchin deleted the integrity_hash branch September 30, 2024 00:20
@davidchin davidchin mentioned this pull request Oct 1, 2024
Merged
@richapatel1510 richapatel1510 mentioned this pull request Oct 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richapatel1510 richapatel1510 richapatel1510 approved these changes

@bc-peng bc-peng bc-peng approved these changes

@animesh1987 animesh1987 animesh1987 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@davidchin @animesh1987 @bc-peng @richapatel1510