mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-08 03:01:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(security): support SRI integrity verification for dashboard plugin scripts

Browse source
This commit is contained in:
memosr 2026-05-04 01:20:06 +03:00 committed by Teknium
parent 46d1fc16ab
commit 5909526a06
2 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
web/src/plugins/types.ts
View file

@ -22,6 +22,12 @@ export interface PluginManifest {
entry: string;
css?: string | null;
has_api: boolean;
/**
* Optional Subresource Integrity hash (e.g. "sha384-..."). When set,
* the browser will refuse to execute the plugin bundle if its hash
* does not match. This protects against tampered plugin delivery.
*/
integrity?: string;
source: string;
}

10
web/src/plugins/usePlugins.ts
View file

@ -68,6 +68,16 @@ export function usePlugins() {
script.setAttribute("data-hermes-plugin", manifest.name);
script.src = scriptSrc;
script.async = true;
// SRI integrity verification — defense against compromised plugin
// delivery. Plugin manifests can declare an integrity hash
// (e.g. "sha384-...") which the browser verifies before executing.
// Without this, a man-in-the-middle or compromised plugin server
// can substitute the JS bundle silently. Opt-in: when no integrity
// is declared in the manifest, behavior is unchanged.
if (manifest.integrity && typeof manifest.integrity === "string") {
script.integrity = manifest.integrity;
script.crossOrigin = "anonymous";
}
script.onerror = () => {
setPluginLoadError(manifest.name, "LOAD_FAILED");
console.warn(