Remove attributes from resources (close DevExpress#235)

src/client/dom-processor/client-dom-adapter.js

@@ -9,6 +9,10 @@ import { isIE9 } from '../utils/browser';
 import { findDocument } from '../utils/dom';
 
 export default class ClientDomAdapter extends BaseDomAdapter {
+    removeAttr (el, attr) {
+        return el.removeAttribute(attr);
+    }
+
     getAttr (el, attr) {
         return nativeMethods.getAttribute.call(el, attr);
     }

src/processing/dom/base-dom-adapter.js

@@ -19,6 +19,10 @@ export default class BaseDomAdapter {
         this.IFRAME_FLAG_TAGS = ['a', 'form'];
     }
 
+    removeAttr () {
+        throw new Error('Not implemented');
+    }
+
     getAttr () {
         throw new Error('Not implemented');
     }

src/processing/dom/index.js

@@ -95,6 +95,8 @@ export default class DomProcessor {
 
             IS_SCRIPT: el => adapter.getTagName(el).toLowerCase() === 'script',
 
+            IS_LINK: el => adapter.getTagName(el).toLowerCase() === 'link',
+
             IS_INPUT: el => adapter.getTagName(el).toLowerCase() === 'input',
 
             IS_STYLE: el => adapter.getTagName(el).toLowerCase() === 'style',
@@ -136,8 +138,13 @@ export default class DomProcessor {
                 urlAttr:           'content',
                 elementProcessors: [this._processMetaElement]
             },
+            {
+                selector:          selectors.IS_SCRIPT,
+                elementProcessors: [this._processScriptElement, this._processIntegrityAttr]
+            },
+
             { selector: selectors.ALL, elementProcessors: [this._processStyleAttr] },
-            { selector: selectors.IS_SCRIPT, elementProcessors: [this._processScriptElement] },
+            { selector: selectors.IS_LINK, elementProcessors: [this._processIntegrityAttr] },
             { selector: selectors.IS_STYLE, elementProcessors: [this._processStylesheetElement] },
             { selector: selectors.IS_INPUT, elementProcessors: [this._processAutoComplete] },
             { selector: selectors.HAS_EVENT_HANDLER, elementProcessors: [this._processEvtAttr] },
@@ -209,6 +216,13 @@ export default class DomProcessor {
         this.adapter.setAttr(el, 'autocomplete', 'off');
     }
 
+    // NOTE: We simply remove the 'integrity' attribute because its value will not be relevant after the script
+    // content changes (http://www.w3.org/TR/SRI/). If this causes problems in the future, we will need to generate
+    // the correct SHA for the changed script. (GH-235)
+    _processIntegrityAttr (el) {
+        this.adapter.removeAttr(el, 'integrity');
+    }
+
     _processJsAttr (el, attr, jsProtocol) {
         var storedUrlAttr = this.getStoredAttrName(attr);
         var processed     = this.adapter.hasAttr(el, storedUrlAttr);

src/processing/dom/parse5-dom-adapter.js

@@ -11,6 +11,16 @@ export default class Parse5DomAdapter extends BaseDomAdapter {
         this.crossDomainPort = crossDomainPort;
     }
 
+    removeAttr (el, attr) {
+        for (var i = 0; i < el.attrs.length; i++) {
+            if (el.attrs[i].name === attr) {
+                el.attrs.splice(i, 1);
+
+                return;
+            }
+        }
+    }
+
     getAttr (el, attr) {
         for (var i = 0; i < el.attrs.length; i++) {
             if (el.attrs[i].name === attr)

test/client/fixtures/sandbox/node/dom-processor-test.js

@@ -305,6 +305,24 @@ test('stylesheet after innerHTML', function () {
 
 module('regression');
 
+test('Remove the "integrity" attribute from the link and script tags (GH-235)', function () {
+    var script = nativeMethods.createElement.call(document, 'script');
+    var link   = nativeMethods.createElement.call(document, 'link');
+
+    nativeMethods.setAttribute.call(script, 'integrity', 'sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7');
+    nativeMethods.setAttribute.call(link, 'integrity', 'sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7');
+
+    var urlReplacer = function (url) {
+        return url;
+    };
+
+    domProcessor.processElement(script, urlReplacer);
+    domProcessor.processElement(link, urlReplacer);
+
+    ok(!script.hasAttribute('integrity'));
+    ok(!link.hasAttribute('integrity'));
+});
+
 asyncTest('link with target=\'_parent\' in iframe (T216999)', function () {
     var iframe         = document.createElement('iframe');
     var storedAttrName = domProcessor.getStoredAttrName('href');

test/server/data/page/expected.html

@@ -1,8 +1,8 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html manifest="http://127.0.0.1:1836/sessionId/http://base.url/some.url" manifest-hammerhead-stored-value="/some.url"><head><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta class="charset-hammerhead-shadow-ui" charset="utf-8"><link rel="stylesheet" type="text/css" class="ui-stylesheet-hammerhead-shadow-ui" href="http://127.0.0.1:1836/styles1.css"><link rel="stylesheet" type="text/css" class="ui-stylesheet-hammerhead-shadow-ui" href="http://127.0.0.1:1836/styles2.css"><script type="text/javascript" class="script-hammerhead-shadow-ui" charset="UTF-8" src="http://127.0.0.1:1836/hammerhead.js"></script><script type="text/javascript" class="script-hammerhead-shadow-ui" charset="UTF-8" src="http://127.0.0.1:1836/script1.js"></script><script type="text/javascript" class="script-hammerhead-shadow-ui" charset="UTF-8" src="http://127.0.0.1:1836/script2.js"></script><script type="text/javascript" class="script-hammerhead-shadow-ui" charset="UTF-8" src="http://127.0.0.1:1836/task.js"></script>
     <meta charset="utf-8">
 
-    <link id="stylesheet" rel="stylesheet" type="text/css" href="http://127.0.0.1:1836/sessionId/http://stylesheet.url/" href-hammerhead-stored-value="http://stylesheet.url">
-    <script type="text/javascript" src="http://127.0.0.1:1836/sessionId!script!utf-8/http://link.url/" src-hammerhead-stored-value="http://link.url"></script>
+    <link id="stylesheet" rel="stylesheet" type="text/css" href="http://127.0.0.1:1836/sessionId/http://stylesheet.url/" crossorigin="anonymous" href-hammerhead-stored-value="http://stylesheet.url">
+    <script type="text/javascript" src="http://127.0.0.1:1836/sessionId!script!utf-8/http://link.url/" crossorigin="anonymous" src-hammerhead-stored-value="http://link.url"></script>
     <script type="text/javascript" charset="utf-16be" src="http://127.0.0.1:1836/sessionId!script!utf-16be/http://link.url/" src-hammerhead-stored-value="http://link.url"></script>
     <meta http-equiv="Refresh" content="0;URL=http://127.0.0.1:1836/sessionId/http://link.url/">
     <base href="http://127.0.0.1:1836/sessionId/http://base.url/" href-hammerhead-stored-value="http://base.url">

test/server/data/page/src.html

@@ -3,8 +3,8 @@
 <head>
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="IE=7" />
-    <link id="stylesheet" rel="stylesheet" type="text/css" href="http://stylesheet.url">
-    <script type="text/javascript" src="http://link.url"></script>
+    <link id="stylesheet" rel="stylesheet" type="text/css" href="http://stylesheet.url" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7" crossorigin="anonymous">
+    <script type="text/javascript" src="http://link.url" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7" crossorigin="anonymous"></script>
     <script type="text/javascript" charset="utf-16be" src="http://link.url"></script>
     <meta http-equiv="Refresh" content="0;URL=http://link.url">
     <base href="http://base.url">