Feature: #109187 - Automatic SRI hash resolution for resource includes

Description

Setting integrity = auto on any resource include that supports the integrity property causes TYPO3 to automatically compute and inject the Subresource Integrity (SRI) hash for that resource instead of requiring a manually pre-computed hash value.

This works for all integrity-supporting TypoScript include properties:

page.includeCSS
page.includeCSSLibs
page.includeJS
page.includeJSLibs
page.includeJSFooter
page.includeJSFooterlibs

The hash is computed using SHA-256 and the result is cached via cache.assets with a 7-day TTL, so there is no per-request overhead after the first render for a given resource.

For external URL resources, crossorigin="anonymous" is added automatically when the hash is successfully resolved, as required by the SRI specification for cross-origin resources.

Note

When using integrity = auto for remote HTTP(S) URLs, TYPO3 fetches the resource from the remote server to compute its hash. The computed hash reflects the content returned by the remote server at the time of the first fetch. The remote server must therefore be trusted. If the remote resource is compromised or altered at the time of the initial fetch, the hash will be computed from the compromised content and browsers will subsequently accept it. For maximum security, use explicit pre-computed hash values (e.g. integrity = sha256-abc123==) obtained from a trusted source rather than relying on automatic resolution for externally hosted resources.

The equivalent PHP constant \TYPO3\CMS\Core\Page\ResourceHashCollection::AUTO can be used when calling the PageRenderer or AssetCollector APIs directly.

Impact

It is now possible to enable SRI for resource includes without manually computing the hash value. Setting integrity = auto is sufficient:

page.includeCSS {
    main = https://cdn.example.com/styles/main.css
    main.integrity = auto
    # crossorigin="anonymous" is added automatically for external URLs
}

page.includeJS {
    app = EXT:my_extension/Resources/Public/JavaScript/app.js
    app.integrity = auto
}

This results in output such as:

<link rel="stylesheet" href="https://cdn.example.com/styles/main.css" media="all" integrity="sha256-abc123==" crossorigin="anonymous">
<script src="/typo3conf/ext/my_extension/Resources/Public/JavaScript/app.js" integrity="sha256-xyz789=="></script>

When using the PHP API directly, pass ResourceHashCollection::AUTO as the $integrity argument:

use TYPO3\CMS\Core\Page\ResourceHashCollection;

$pageRenderer->addCssFile(
    'EXT:my_extension/Resources/Public/Css/style.css',
    integrity: ResourceHashCollection::AUTO,
);

$pageRenderer->addJsFile(
    'EXT:my_extension/Resources/Public/JavaScript/app.js',
    integrity: ResourceHashCollection::AUTO,
);

$assetCollector->addStyleSheet(
    'my-styles',
    'EXT:my_extension/Resources/Public/Css/style.css',
    ['integrity' => ResourceHashCollection::AUTO],
);