To help prevent script tampering and ensure that checkout processes work correctly, when you modify any file in the Cove cartridge, generate and update the Subresource Integrity (SRI) hash values for the scripts in the cartridge.
Automatically generate new SRI hash values when building the Cove cartridge
To automatically generate new SRI hash values when you build the Cove cartridge, take the following steps.
-
Install the following packages. In version 0.13.0 and later, the Cove cartridge includes the packages by default.
npm install webpack-assets-manifest@4.0.0 --save npm install webpack-subresource-integrity@1.5.2 --save -
In your
webpack.config.jsconfiguration file, require theSubresourceIntegrityPluginandWebpackAssetsManifestplugins. In version 0.13.0 and later, the Cove cartridge includes the plugins by default.var path = require('path'); const SubresourceIntegrityPlugin = require('webpack-subresource-integrity'); const WebpackAssetsManifest = require('webpack-assets-manifest'); -
In the
pluginsarray of the JavaScript configuration object, add instances of theSubresourceIntegrityPluginandWebpackAssetsManifestplugins as follows. In version 0.13.0 and later, the Cove cartridge includes the instances by default.plugins: [ new SubresourceIntegrityPlugin({ hashFuncNames: ['sha384'] }), new WebpackAssetsManifest({ integrity: true, integrityHashes: ['sha384'], writeToDisk: true, output: 'js-asset-manifest.json' }) ]
Generate the js-asset-manifest.json file
The webpack-assets-manifest package generates js-asset-manifest.json, which includes SHA-384 SRI hash values for each affected script. To generate the js-asset-manifest.json file, do the following.
- At a command prompt, open your Cove cartridge directory and build the cartridge.
- After you build the cartridge, find the
js-asset-manifest.jsonfile inlink_cove/cartridges/int_cove/cartridge/static/.
Update SRI hash values for scripts in the Cove cartridge
When the Cove cartridge loads a checkout script, it automatically verifies the SRI of the script by checking whether the new SRI hash value matches the expected SRI hash value. The following sections show how to update the SRI hash values for scripts in the Cove cartridge to ensure that checkout processes work correctly.
Update the SRI hash value for checkoutSummary.js
To update the SRI hash value for the checkoutSummary.js script, take the following steps.
-
Open the following file in a text editor:
link_cove/cartridges/int_cove_storefront/cartridge/templates/default/checkout/checkout.isml -
In the Load Static Assets section, find the line that references the
checkoutSummary.jsscript.assets.addJs('/js/checkoutSummary.js', 'sha384-xyZ123dEf456GhI789jKl+012MnO345pQr678sTu901vWx234yZa567bCd890EfG'); -
From the
js-asset-manifest.jsonfile, get the new SRI hash value for thecheckoutSummary.jsentry under theintegritykey. The following example contains a placeholder SRI hash value."default/js/checkoutSummary.js": { "src": "default/js/checkoutSummary.js", "integrity": "sha384-def123abC456GhI789jKl+012MnO345pQr678sTu901vWx234yZa567bCd890EfG" }, -
In the
checkout.ismlfile, replace the existing SRI hash value with the new SRI hash value from thejs-asset-manifest.jsonfile and keep thesha384-prefix. -
Save the
checkout.ismlfile.
Update the SRI hash values for clickstreamLoader.js and cove.js
To update the SRI hash values for the clickstreamLoader.js and cove.js scripts, take the following steps.
-
Open the following file in a text editor:
link_cove/cartridges/int_cove/cartridge/scripts/cove/hooks/htmlHooks.js -
Find the following script references in the
htmlHeadfunction:// clickstreamLoader.js hash Velocity.render('<script defer src="$url" integrity="sha384-abC123dEf456GhI789jKl+012MnO345pQr678sTu901vWx234yZa567bCd890EfG"></script>', { url: URLUtils.staticURL('/js/clickstreamLoader.js') }); // cove.js hash Velocity.render('<script defer src="$url" integrity="sha384-abC123dEf456GhI789jKl+012MnO345pQr678sTu901vWx234yZa567bCd890EfG"></script>', { url: URLUtils.staticURL('/js/cove.js').toString() }); -
From the
js-asset-manifest.jsonfile, get the new SRI hash values for theclickstreamLoader.jsandcove.jsentries under theintegritykey. The following example contains placeholder SRI hash values."default/js/clickstreamLoader.js": { "src": "default/js/clickstreamLoader.js", "integrity": "sha384-abC123dEf456GhI789jKl+012MnO345pQr678sTu901vWx234yZa567bCd890EfG" }, "default/js/cove.js": { "src": "default/js/cove.js", "integrity": "sha384-xyZ123aBC456GhI789jKl+012MnO345pQr678sTu901vWx234yZa567bCd890EfG" }, -
In the
htmlHooks.jsfile, replace both SRI hash values with their corresponding new SRI hash values from thejs-asset-manifest.jsonfile and keep thesha384-prefix. -
Save the
htmlHooks.jsfile.
Generate new SRI hash values manually
If your configuration requires you to build the Cove cartridge separately, you might have to generate new SRI hash values manually. For details about how to generate new SRI hash values manually, in the Mozilla documentation see Subresource Integrity.