fix: not try to add integrity to tags with remote url (#12262)

LingyuCoder · web-flow · commit 4746bb1ecf8f · 2025-11-21T09:11:06.000Z
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/rspack_plugin_sri/Cargo.toml b/crates/rspack_plugin_sri/Cargo.toml
@@ -33,11 +33,12 @@ serde_json                      = { workspace = true }
 sha2                            = { workspace = true }
 tokio                           = { workspace = true }
 tracing                         = { workspace = true }
+url                             = { workspace = true }
 urlencoding                     = { workspace = true }
 
 [package.metadata.cargo-shear]
 ignored = ["tracing", "async-trait", "rspack_hash", "tokio"]
 
 [lints.rust.unexpected_cfgs]
-level = "warn"
 check-cfg = ['cfg(allocative)']
+level     = "warn"
diff --git a/crates/rspack_plugin_sri/src/html.rs b/crates/rspack_plugin_sri/src/html.rs
@@ -11,6 +11,7 @@ use rspack_plugin_html::{
 };
 use rustc_hash::FxHashMap as HashMap;
 use tokio::sync::RwLock;
+use url::Url;
 
 use crate::{
   SRICompilationContext, SubresourceIntegrityHashFunction, SubresourceIntegrityPlugin,
@@ -170,6 +171,14 @@ async fn process_tag(
     return Ok(None);
   };
 
+  // A tag which is not generated by chunks should be skipped
+  if let Ok(url) = Url::parse(&tag_src)
+    && (url.scheme() == "http" || url.scheme() == "https")
+    && (public_path.is_empty() || !tag_src.starts_with(public_path))
+  {
+    return Ok(None);
+  }
+
   let src = get_asset_path(&tag_src, public_path);
   if let Some(integrity) =
     get_integrity_checksum_for_asset(&src, integrities, normalized_integrities).await
diff --git a/packages/rspack/src/builtin-plugin/SubresourceIntegrityPlugin.ts b/packages/rspack/src/builtin-plugin/SubresourceIntegrityPlugin.ts
@@ -190,6 +190,18 @@ export class SubresourceIntegrityPlugin extends NativeSubresourceIntegrityPlugin
 			return;
 		}
 
+		try {
+			const url = new URL(tagSrc);
+			if (
+				(url.protocol === "http:" || url.protocol === "https:") &&
+				(!publicPath || !tagSrc.startsWith(publicPath))
+			) {
+				return;
+			}
+		} catch (_) {
+			// do nothing
+		}
+
 		const src = relative(publicPath, decodeURIComponent(tagSrc));
 		tag.attributes.integrity =
 			this.getIntegrityChecksumForAsset(src) ||
diff --git a/tests/rspack-test/configCases/sri/remote-src/index.js b/tests/rspack-test/configCases/sri/remote-src/index.js
@@ -0,0 +1 @@
+it("should compile", () => { });
diff --git a/tests/rspack-test/configCases/sri/remote-src/rspack.config.js b/tests/rspack-test/configCases/sri/remote-src/rspack.config.js
@@ -0,0 +1,67 @@
+const { experiments, HtmlRspackPlugin } = require("@rspack/core");
+const HtmlWebpackPlugin = require("html-webpack-plugin");
+const fs = require("fs");
+const path = require("path");
+
+/** @type {import("@rspack/core").Configuration} */
+module.exports = (_, { testPath }) => ([{
+  target: "web",
+  output: {
+    crossOriginLoading: "anonymous",
+  },
+  plugins: [
+    new experiments.SubresourceIntegrityPlugin(),
+    new HtmlRspackPlugin({
+      filename: "index.html",
+    }),
+    {
+      apply(compiler) {
+        compiler.hooks.compilation.tap('TestPlugin', (compilation) => {
+          HtmlRspackPlugin.getCompilationHooks(compilation).beforeAssetTagGeneration.tap('SubresourceIntegrityPlugin', (data) => {
+            data.assets.js.push("http://localhost:3000/index.js");
+          });
+        });
+      }
+    },
+    {
+      apply(compiler) {
+        compiler.hooks.done.tap('TestPlugin', () => {
+          const htmlContent = fs.readFileSync(path.resolve(testPath, "index.html"), "utf-8");
+          expect(htmlContent).toMatch(/<script crossorigin defer integrity=".+" src="bundle0\.js">/);
+          expect(htmlContent).toMatch(/<script defer src="http:\/\/localhost:3000\/index\.js">/);
+        });
+      }
+    }
+  ],
+}, {
+  target: "web",
+  output: {
+    crossOriginLoading: "anonymous",
+  },
+  plugins: [
+    new experiments.SubresourceIntegrityPlugin({
+      htmlPlugin: require.resolve("html-webpack-plugin"),
+    }),
+    new HtmlWebpackPlugin({
+      filename: "index1.html",
+    }),
+    {
+      apply(compiler) {
+        compiler.hooks.compilation.tap('TestPlugin', (compilation) => {
+          HtmlWebpackPlugin.getCompilationHooks(compilation).beforeAssetTagGeneration.tap('SubresourceIntegrityPlugin', (data) => {
+            data.assets.js.push("http://localhost:3000/index.js");
+          });
+        });
+      }
+    },
+    {
+      apply(compiler) {
+        compiler.hooks.done.tap('TestPlugin', () => {
+          const htmlContent = fs.readFileSync(path.resolve(testPath, "index1.html"), "utf-8");
+          expect(htmlContent).toMatch(/<script defer="defer" src="bundle1.js" integrity=".+" crossorigin="anonymous">/);
+          expect(htmlContent).toMatch(/<script defer="defer" src="http:\/\/localhost:3000\/index\.js">/);
+        });
+      }
+    }
+  ],
+}]);
diff --git a/tests/rspack-test/configCases/sri/remote-src/test.config.js b/tests/rspack-test/configCases/sri/remote-src/test.config.js
@@ -0,0 +1,3 @@
+module.exports = {
+  noTests: true
+};

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+module.exports = {`
	`2`	`+ noTests: true`
	`3`	`+};`