waysact
diff --git a/‎CONTRIBUTING.md
Lines changed: 79 additions & 0 deletions b/‎CONTRIBUTING.md
Lines changed: 79 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 122 additions & 64 deletions b/‎README.md
Lines changed: 122 additions & 64 deletions
@@ -0,0 +1,79 @@
+# Contributing
+
+## Issues
+
+If you have discovered a bug or have a feature suggestion, feel free
+to create an issue on Github.
+
+This plugin is being used in production and has a comprehensive test
+suite that ensures it works in several scenarios.  If it's not working
+for you, it's very likely to do with your specific Webpack
+configuration.  Therefore it is important that you provide as much
+information about your configuration as possible when filing a bug
+report.
+
+Ideally you can provide a small test project (as a Github repository
+or Gist) that can be built to reproduce the issue.
+
+If for some reason you can't isolate the problem in a test project, at
+the very least we will need the following:
+
+- A list of the package versions you're using, ideally as a
+  `package.json` or `npm-shrinkwrap.json` file, or at least the
+  version numbers for the following: Node.js, Webpack, and all Webpack
+  plugins you're using (including this plugin).
+
+- Your `webpack.config.js`, or at least the `plugins` and `output`
+  sections.
+
+- Any other information you can provide, for example how exactly you
+  invoke the Webpack build process, and how exactly you embed
+  integrity values in your HTML file.
+
+Thanks for helping to improve webpack-subresource-integrity!
+
+## Pull Requests
+
+Pull requests are welcome!
+
+You are welcome to correct any spelling mistakes or language issues.
+
+For code changes, please read the following instructions to ensure
+that we can accept your pull request.
+
+### Include a new test case
+
+Your pull request should include at least one new test case that fails
+without your code changes.  You can ensure this is the case as
+follows:
+
+```shell
+git checkout master
+git checkout your-branch -- test
+npm test # this should fail
+```
+
+Creating a new test case can be difficult, but this is an essential
+part of the pull request without which it cannot be accepted.
+
+If you have trouble creating the test case, open the pull request
+without it and at-mention a maintainer for help.
+
+### Webpack compatibility
+
+Your new test case and all existing test cases should pass with both
+Webpack 1.x and 2.x.  You can ensure this is the case as follows:
+
+```shell
+npm install webpack@1 extract-text-webpack-plugin@1 && npm test
+npm install webpack@beta extract-text-webpack-plugin@beta && npm test
+```
+
+### Code formatting
+
+Your code should be eslint-clean.  You can ensure this is the case as
+follows:
+
+```shell
+npm run lint # this should not output any errors or warnings
+```
@@ -1,102 +1,160 @@
 # webpack-subresource-integrity
 
-[![Build Status](https://travis-ci.org/waysact/webpack-subresource-integrity.svg?branch=master)](https://travis-ci.org/waysact/webpack-subresource-integrity)
+[![npm version](https://badge.fury.io/js/webpack-subresource-integrity.svg)](https://badge.fury.io/js/webpack-subresource-integrity) [![Build Status](https://travis-ci.org/waysact/webpack-subresource-integrity.svg?branch=master)](https://travis-ci.org/waysact/webpack-subresource-integrity) [![Dependency Status](https://david-dm.org/waysact/webpack-subresource-integrity.svg)](https://david-dm.org/waysact/webpack-subresource-integrity) [![GitHub license](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/waysact/webpack-subresource-integrity/master/LICENSE)
 
-A Webpack plugin for ensuring
-[subresource integrity](http://www.w3.org/TR/SRI/) on
-[supported browsers](http://caniuse.com/#feat=subresource-integrity).
+Webpack plugin for enabling Subresource Integrity.
 
-Integrity is ensured automatically for lazy-loaded chunks (loaded via
-`require.ensure`).
+[Subresource Integrity](http://www.w3.org/TR/SRI/) (SRI) is a security
+feature that enables browsers to verify that files they fetch (for
+example, from a CDN) are delivered without unexpected
+manipulation.
 
-It's your responsibility to include the `integrity` attribute in the
-HTML for top-level chunks.  Obviously, SRI for lazy-loaded chunks is
-pointless unless integrity of the top-level chunks is ensured as well.
+## Features
 
-[html-webpack-plugin](https://github.com/ampedandwired/html-webpack-plugin)
-users can get the `integrity` attribute set automatically, see below.
+- Integration with [html-webpack-plugin](https://github.com/ampedandwired/html-webpack-plugin)
+- Support for code-splitting (integrity for lazy-loaded chunks)
 
-## Usage
+## Installation
 
-### Installing the Plugin
-
-    $ npm install webpack-subresource-integrity --save-dev
+```shell
+npm install webpack-subresource-integrity --save-dev
+```
 
-Pass an array of
-[hash algorithms](http://www.w3.org/TR/SRI/#cryptographic-hash-functions)
-to the plugin constructor:
+### Webpack Configuration Example
 
-    import SriPlugin from 'webpack-subresource-integrity';
+```javascript
+import SriPlugin from 'webpack-subresource-integrity';
 
-    const compiler = webpack({
-        plugins: [
-            // ...
-            new SriPlugin(['sha256', 'sha384']),
-        ],
-    });
+const compiler = webpack({
+    plugins: [
+        new SriPlugin({
+            hashFuncNames: ['sha256', 'sha384'],
+            enabled: process.env.NODE_ENV === 'production',
+            crossorigin: 'anonymous',
+        }),
+    ],
+});
+```
 
-### Accessing the `integrity` Value for Top-level Assets
+### Setting the `integrity` attribute for top-level assets
 
-The correct value for the `integrity` attribute can be retrieved from
-the `integrity` property of webpack assets.  However, that property is
-not copied over by webpack's `stats` module so you'll have to access
-the "original" asset on the `compilation` object.  Something like
-this:
+For the plugin to take effect it is **essential** that you set the
+`integrity` attribute for top-level assets (i.e. assets loaded by your
+HTML pages.)
 
-    compiler.plugin("done", stats => {
-        var integrity = stats.compilation.assets[stats.toJson().assetsByChunkName.main].integrity;
-    });
+#### With HtmlWebpackPlugin
 
-Use that value to generate the `integrity` attribute for tags such as
-`<script>` and `<link>`.  Note that you are also
-[required to set the `crossorigin` attribute](https://www.w3.org/TR/SRI/#cross-origin-data-leakage).
+When html-webpack-plugin is injecting assets into the template (the
+default), the `integrity` attribute will be set automatically.  There
+is nothing else to be done.
 
-#### `html-webpack-plugin` Integration
+#### With HtmlWebpackPlugin({ inject: false })
 
-The plugin installs a hook for `html-webpack-plugin` that adds the
-`integrity` attribute automatically when `inject: true` (the default).
-This requires `html-webpack-plugin` version `2.21.0` or later.  The
-`crossorigin` attribute will be set to `anonymous` in this case.
-
-If you're using a template with `html-webpack-plugin` and with
-`inject: false`, you can generate the attributes as follows:
+When you use html-webpack-plugin with `inject: false`, you are
+required to set the `integrity` and `crossorigin` attributes in your
+template as follows:
 
 ```ejs
 <% for (var index in htmlWebpackPlugin.files.js) { %>
-  <script src="<%= htmlWebpackPlugin.files.js[index] %>"
-          integrity="<%= htmlWebpackPlugin.files.jsIntegrity[index] %>"
-          crossorigin="anonymous"
+  <script
+     src="<%= htmlWebpackPlugin.files.js[index] %>"
+     integrity="<%= htmlWebpackPlugin.files.jsIntegrity[index] %>"
+     crossorigin="<%= htmlWebpackPlugin.options.sriCrossOrigin %>"
   ></script>
 <% } %>
 
 <% for (var index in htmlWebpackPlugin.files.css) { %>
-  <link href="<%= htmlWebpackPlugin.files.css[index] %>"
-        integrity="<%= htmlWebpackPlugin.files.cssIntegrity[index] %>"
-        rel="stylesheet"
-        crossorigin="anonymous"
-  >
+  <link
+     href="<%= htmlWebpackPlugin.files.css[index] %>"
+     integrity="<%= htmlWebpackPlugin.files.cssIntegrity[index] %>"
+     crossorigin="<%= htmlWebpackPlugin.options.sriCrossOrigin %>"
+     rel="stylesheet"
+  />
 <% } %>
 ```
 
+#### Without HtmlWebpackPlugin
+
+The correct value for the `integrity` attribute can be retrieved from
+the `integrity` property of Webpack assets.  However, that property is
+not copied over by Webpack's `stats` module so you'll have to access
+the "original" asset on the `compilation` object.  For example:
+
+```javascript
+compiler.plugin("done", stats => {
+    const mainAssetName = stats.toJson().assetsByChunkName.main;
+    const integrity = stats.compilation.assets[mainAssetName].integrity;
+});
+```
+
+### Options
+
+#### hashFuncNames
+
+Required option, no default value.
+
+An array of strings, each specifying the name of a hash function to be
+used for calculating integrity hash values.  For example, `['sha256',
+'sha512']`.
+
+See [SRI: Cryptographic hash functions](http://www.w3.org/TR/SRI/#cryptographic-hash-functions)
+
+#### enabled
+
+Default value: `true`
+
+When this value is falsy, the plugin doesn't run and no integrity
+values are calculated. It is recommended to disable the plugin in
+development mode.
+
+#### crossorigin
+
+Default value: `"anonymous"`
+
+When using `HtmlWebpackPlugin({ inject: true })`, this option
+specifies the value to be used for the `crossorigin` attribute for
+injected assets.
+
+The value will also be available as
+`htmlWebpackPlugin.options.sriCrossOrigin` in html-webpack-plugin
+templates.
+
+See
+[SRI: Cross-origin data leakage](https://www.w3.org/TR/SRI/#cross-origin-data-leakage) and
+[MDN: CORS settings attributes](https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_settings_attributes)
+
 ## Caveats
 
-* There is a
-  [known bug relating to SRI in Chrome versions before 47](https://code.google.com/p/chromium/issues/detail?id=527286)
-  which will break loading of scripts containing certain UTF-8
-  characters.  You might want to hold off using SRI if you need to
-  support older Chrome versions.
+### Browser support
+
+Browser support for SRI is currently patchy.  Your page will still
+work on browsers without support for SRI, but subresources won't be
+protected from tampering.
+
+See [Can I use Subresource Integrity?](http://caniuse.com/#feat=subresource-integrity)
+
+### Broken browser versions
+
+There is a
+[known bug relating to SRI in Chrome 45 and 46](https://code.google.com/p/chromium/issues/detail?id=527286)
+which will break loading of scripts containing certain UTF-8
+characters. You might want to hold off using SRI if you need to
+support these Chrome versions. (Unfortunately, Chrome 45 still
+[holds a relatively high market share](https://www.netmarketshare.com/report.aspx?qprid=3&qpaf=&qpcustom=Chrome+45.0&qpcustomb=0)
+of around 5% at the time of this writing.)
 
-## Contributing
+### Hot Module Replacement
 
-If you have discovered a bug or have a feature suggestion, feel free to create an issue on Github.
+Chunks loaded via Hot Module Replacement (HMR) are not currently
+protected.  This shouldn't be a problem because HMR is usually used
+only in development mode where SRI is not normally needed.
 
-Pull requests are welcome. Please run `npm test` and `npm run lint` on
-your branch before submitting it.
+## Further Reading
 
-You are also welcome to correct any spelling mistakes or any language issues.
+- [MDN: Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)
 
 ## License
 
 Copyright (c) 2015, 2016 Waysact Pty Ltd
 
-MIT (see [`LICENSE`](LICENSE))
+MIT (see [LICENSE](LICENSE))