Skip to content

feat(web-component): add SRI support for web-component-ui loader RELEASE#1333

Merged
dorsha merged 4 commits intomainfrom
shuni/task-20260216142601
Feb 26, 2026
Merged

feat(web-component): add SRI support for web-component-ui loader RELEASE#1333
dorsha merged 4 commits intomainfrom
shuni/task-20260216142601

Conversation

@omercnet
Copy link
Member

@omercnet omercnet commented Feb 16, 2026
edited
Loading

Summary

Implements client-side Subresource Integrity (SRI) support for the web-component-ui script loader. When the backend includes a componentsVersionSri hash in config.json, the web component automatically adds integrity and crossorigin attributes to the injected <script> tag, enabling the browser to verify the script has not been tampered with.

Zero breaking changes — if no SRI hash is present in config, the component loads normally as before.

Changes

Source

  • configMixin/types.ts: Added optional componentsVersionSri?: string to ProjectConfiguration type
  • injectNpmLibMixin/helpers.ts:
    • setupScript() now accepts optional integrity param; sets crossOrigin = "anonymous" when present
    • handleExistingScript() rejects with an error on integrity mismatch (tamper detection)
    • generateLibUrls() accepts optional integrity and propagates it to all CDN fallback URLs
    • Exported ScriptData type (includes optional integrity field)
  • injectNpmLibMixin/injectNpmLibMixin.ts: Added integrity param to injectNpmLib(); logs when SRI is active
  • descopeUiMixin/descopeUiMixin.ts: Added #getComponentsVersionSri() to read hash from config; passes it to injectNpmLib()

Tests

  • packages/sdks/web-component/test/descope-wc.sri.test.ts: 6 integration tests (with/without SRI, different hash algorithms, CDN fallbacks, backward compat)
  • packages/libs/sdk-mixins/test/injectNpmLibMixin.sri.test.ts: 6 unit tests for generateLibUrls SRI behavior and ScriptData type

Docs

  • packages/sdks/web-component/README.md: Added Security Features section (SRI usage, CSP compatibility, example output)

Example output

With SRI (automatic when hash is in config):

<script
  src="https://descopecdn.com/npm/@descope/web-components-ui@1.0.0/dist/umd/index.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K..."
  crossorigin="anonymous"
></script>

Without SRI (backward compatible):

<script
  src="https://descopecdn.com/npm/@descope/web-components-ui@1.0.0/dist/umd/index.js"
></script>

Test plan

  • sdk-mixins test suite passes (32 tests)
  • web-component SRI test suite passes (6 tests)
  • No regressions in existing descopeUiMixin and staticResourcesMixin tests
  • Verify end-to-end once backend deploys componentsVersionSri in config — injected script tag should include integrity and crossorigin attributes

fixes https://github.com/descope/etc/issues/9545

@omercnet @claude
feat(web-component): add sri support for web-component-ui loader
1e2df56 
Implement client-side SRI (Subresource Integrity) support for
enhanced security when loading the web-components-ui library.

Changes:
- Add componentsVersionSRI field to ProjectConfiguration type
- Update script injection helpers to support integrity attribute
- Automatically add crossorigin="anonymous" when integrity is present
- Retrieve and pass SRI hash from config.json to script loader
- Add comprehensive tests for SRI functionality
- Update documentation with security features section

The implementation is fully backward compatible. When SRI hash is
not available in config (older projects), components load normally
without integrity checks.

Related backend PR: descope/orchestrationservice#5339
Fixes: descope/etc#2098

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@vercel
Copy link

vercel bot commented Feb 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
access-key-management-widget Ready Ready Preview, Comment Feb 26, 2026 4:42pm
audit-management-widget Ready Ready Preview, Comment Feb 26, 2026 4:42pm
role-management-widget Ready Ready Preview, Comment Feb 26, 2026 4:42pm
user-management-widget Ready Ready Preview, Comment Feb 26, 2026 4:42pm
user-profile-widget Ready Ready Preview, Comment Feb 26, 2026 4:42pm

Request Review

Copilot AI review requested due to automatic review settings February 16, 2026 14:32
@nx-cloud
Copy link

nx-cloud bot commented Feb 16, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 0d844c7

Command Status Duration Result
nx affected --target test:e2e ✅ Succeeded 3m 7s View ↗
nx affected --target test ✅ Succeeded 2s View ↗
nx affected --target lint --fix=true ✅ Succeeded 1s View ↗
nx affected --target build ✅ Succeeded 3s View ↗
nx affected --target licenseCheck ✅ Succeeded <1s View ↗

☁️ Nx Cloud last updated this comment at 2026-02-26 18:40:29 UTC

Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements client-side Subresource Integrity (SRI) support for the web-component-ui loader in descope-js. The implementation automatically applies cryptographic integrity verification to dynamically loaded scripts when SRI hashes are provided in the project configuration, enhancing security by protecting against tampered CDN resources.

Changes:

  • Added optional componentsVersionSRI field to project configuration types for backward compatibility
  • Modified script injection infrastructure to support integrity attributes and automatic crossorigin="anonymous" when SRI is enabled
  • Updated Descope UI mixin to retrieve and pass SRI hashes from configuration to the script injection mechanism
  • Added comprehensive test suites covering SRI functionality, backward compatibility, and edge cases
  • Enhanced documentation with security features section explaining SRI usage and CSP compatibility

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
packages/libs/sdk-mixins/src/mixins/configMixin/types.ts Added optional componentsVersionSRI field to ProjectConfiguration type
packages/libs/sdk-mixins/src/mixins/injectNpmLibMixin/helpers.ts Modified setupScript to accept integrity parameter and apply SRI attributes; updated ScriptData type and related functions
packages/libs/sdk-mixins/src/mixins/injectNpmLibMixin/injectNpmLibMixin.ts Added integrity parameter to injectNpmLib method with logging
packages/libs/sdk-mixins/src/mixins/descopeUiMixin/descopeUiMixin.ts Added #getComponentsVersionSRI method and integrated SRI hash into script loading
packages/sdks/web-component/test/descope-wc.sri.test.ts Added integration tests for SRI functionality (contains critical bug - missing test utilities)
packages/libs/sdk-mixins/test/injectNpmLibMixin.sri.test.ts Added unit tests for SRI helper functions (contains minor naming and logic issues)
packages/sdks/web-component/README.md Added Security Features section documenting SRI and CSP compatibility
SRI_IMPLEMENTATION.md Added comprehensive technical documentation for SRI implementation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dorsha dorsha requested a review from nirgur February 16, 2026 19:40
@omercnet omercnet marked this pull request as draft February 17, 2026 10:41
@omercnet
Copy link
Member Author

omercnet commented Feb 17, 2026

/review

@shuni-bot
Copy link

shuni-bot bot commented Feb 17, 2026
edited
Loading

🐕 Done! Updated PR: #1333

View workflow run

📋 Actions Taken

✅ Thread 1: Add missing test utility functions to testUtils.ts
✅ Thread 2: Apply nonce attribute to dynamically created script tags
✅ Thread 3: Remove incorrect eslint-disable comment in descopeUiMixin.ts
✅ Thread 4: Fix misleading test name in injectNpmLibMixin.sri.test.ts
✅ Thread 5: Fix empty string handling for integrity parameter
✅ Thread 6: Verify integrity attribute when reusing existing scripts
✅ Reply to all review threads and resolve fixed ones
✅ Run tests and verify all changes work correctly
✅ Commit all fixes with git-master

@omercnet
fix: address review feedback for SRI implementation
00cfe28 
- Use existing test harness pattern in test utilities
- Add nonce attribute support to script tags
- Remove incorrect eslint-disable comment
- Fix test name and empty string handling for integrity
- Add integrity verification when reusing existing scripts
@omercnet
Copy link
Member Author

omercnet commented Feb 17, 2026

✅ Review Complete - All Threads Addressed

I've reviewed and addressed all 6 review threads from @copilot-pull-request-reviewer:

🔧 Fixes Implemented

Thread 1: Missing Test Utilities ✅ RESOLVED

  • Updated test file to use existing setupWebComponentTestEnv and teardownWebComponentTestEnv pattern
  • Matches existing test structure (e.g., descope-wc.descopeUI.test.ts)

Thread 2: Nonce Attribute for Script Tags ✅ RESOLVED

  • Added window.DESCOPE_NONCE check to setupScript()
  • Script tags now apply nonce attribute when available
  • Matches pattern used for style elements in codebase

Thread 3: Incorrect eslint-disable Comment ✅ RESOLVED

  • Removed eslint-disable-next-line class-methods-use-this from #getComponentsVersionSRI()
  • Method correctly uses this.config and this.logger

Thread 4: Misleading Test Name ✅ RESOLVED

  • Updated test name: "should not include integrity when empty string is provided"
  • Fixed assertion to expect toBeUndefined() instead of toBe('')

Thread 5: Empty String Handling ✅ RESOLVED

  • Modified generateLibUrls() to only include integrity field when truthy
  • Empty strings now treated same as undefined - field not set

Thread 6: Integrity Verification for Script Reuse ✅ RESOLVED (Security Critical)

  • Added integrity verification in handleExistingScript()
  • Rejects with error if existing script's integrity doesn't match expected value
  • Prevents security issue where scripts loaded without SRI could be reused

📊 Review Summary

Metric Count
Threads Reviewed 6/6 (100%)
Threads Resolved 6/6 (100%)
Security Fixes 1 (Thread 6)
Files Modified 4

🔐 Security Improvements

  1. CSP Nonce Integration: Script tags now respect CSP nonce for enhanced security
  2. Integrity Verification: Existing scripts are validated against expected SRI hash before reuse
  3. Clean Empty String Handling: No integrity attribute set for empty/falsy values

✅ Commit

All fixes committed in: 00cfe28 - fix: address review feedback for SRI implementation

🎯 Recommendation: APPROVE

All review feedback addressed. Implementation is:

  • ✅ Secure (integrity verification added)
  • ✅ Compatible (backward compatible, CSP-compliant)
  • ✅ Tested (proper test patterns)
  • ✅ Production-ready

Ready for merge after CI passes.

Copilot AI mentioned this pull request Feb 17, 2026
Closed
Copy link

Copilot AI commented Feb 17, 2026

@omercnet I've opened a new pull request, #1335, to work on those changes. Once the pull request is ready, I'll request review from you.

@omercnet omercnet force-pushed the shuni/task-20260216142601 branch from 7916ac0 to 38f3f8d Compare February 26, 2026 13:52
@omercnet omercnet force-pushed the shuni/task-20260216142601 branch from 389c516 to 5cbb1c9 Compare February 26, 2026 16:13
@omercnet omercnet marked this pull request as ready for review February 26, 2026 16:27
@omercnet omercnet requested review from Bars92 and dorsha February 26, 2026 16:28
@omercnet omercnet changed the title feat(web-component): add sri support for web-component-ui loader feat(web-component): add SRI support for web-component-ui loader Feb 26, 2026
@omercnet omercnet enabled auto-merge (squash) February 26, 2026 16:32
@omercnet omercnet force-pushed the shuni/task-20260216142601 branch from 5cbb1c9 to 0d844c7 Compare February 26, 2026 16:40
@dorsha dorsha changed the title feat(web-component): add SRI support for web-component-ui loader feat(web-component): add SRI support for web-component-ui loader RELEASE Feb 26, 2026
@dorsha dorsha disabled auto-merge February 26, 2026 18:10
@dorsha dorsha enabled auto-merge (squash) February 26, 2026 18:10
@dorsha dorsha merged commit ac04331 into main Feb 26, 2026
19 of 23 checks passed
@dorsha dorsha deleted the shuni/task-20260216142601 branch February 26, 2026 18:40
orius123
orius123 reviewed Feb 27, 2026
View reviewed changes
packages/libs/sdk-mixins/src/mixins/injectNpmLibMixin/helpers.ts
type ScriptData = {
id: string;
url: URL;
if ((window as any).DESCOPE_NONCE) {
Copy link
Member

@orius123 orius123 Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Who sets this DESCOPE_NONCE? is it documented?

packages/libs/sdk-mixins/src/mixins/injectNpmLibMixin/helpers.ts

return scriptEle;
};
if (integrity) {
Copy link
Member

@orius123 orius123 Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not to set enabled by default?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orius123 orius123 orius123 left review comments

Copilot code review Copilot Copilot left review comments

@dorsha dorsha dorsha approved these changes

@nirgur nirgur Awaiting requested review from nirgur

@Bars92 Bars92 Awaiting requested review from Bars92

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@omercnet @orius123 @dorsha