UNPKG

@mithray/hashtml

Version:

Hashed and Signed Hypertext Markup Language

github.com/mithray/hashtml

mithray/hashtml

104 lines (85 loc) 2.25 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
## Server Use The minification should either follow a set standard so that browsers eventually have the chance to comply, or a javascript file should be included that allows the browser to verify the hash and signature programmitically. This project is attempting to make such resources available. ``` html <nav class="HashTML"> nav { --background-color: black; --text-color: white; } <ul> <li id="home">Home</li> <li id="about">About</li> <li id="contact">Contact</li> </ul> </nav> ``` ### Step 1 Remove textContent ``` html <nav class="HashTML"> nav { --background-color: black; --text-color: white; } <ul> <li id="home"></li> <li id="about"></li> <li id="contact"></li> </ul> </nav> ``` ### Step 2 Remove Variables ``` html <nav class="HashTML"> nav { } <ul> <li id="home"></li> <li id="about"></li> <li id="contact"></li> </ul> </nav> ``` Because we are including CSS and Javascript content as part of the hash, with the exception of variables, we can also take out the id and classes. ### Step 3 Remove Empty CSS Tags, ids, classes ``` html <nav class="HashTML"> <ul> <li></li> <li></li> <li></li> </ul> </nav> ``` ### Step 4 Pass through html-minifier ``` html <nav id=HashTML><ul><li><li><li></ul></nav> ``` ### Step 5 InnerHTML is extracted from the parent component. Building the template on the server side: ``` javascript let elems = document.querySelector(".HashTML") for(elem in elems){ let inner = elem.innerHTML let hash = inner.hash("sha256") let signature = privateKey.sign(hash) elem[integrity=hash] elem[signature=signature] } ``` The resulting html component: ``` html <nav class="HashTML" integrity="f3bd8e3a82b..." signature="4ubkf7..."><ul><li></li><li></li><li></li></ul></nav> ``` Verifying the hash and signature on client side could either produce an alert on failing to load, silently fail to load the resource, or could provide a fallback: ``` javascript let elem = document.querySelector("#HashTML") let inner = minify(elem.innerHTML) let hash = inner.hash("sha256") if(hash !== elem[integrity]){ alert('webpage has been compromised!') } let verified = verify(hash, signature) if(verified !== true){ alert('webpage has been compromised!') } ```