ember-cli-sri

2.1.1 verified Sat Apr 25 auth: no javascript

Ember CLI addon for generating Subresource Integrity (SRI) hashes to secure JavaScript and CSS subresources against CDN poisoning and corruption. Current stable version is 2.1.1. Released as needed, with v2.0.0 introducing a default disabling of paranoiaCheck. Key differentiator: it integrates seamlessly with Ember CLI and fingerprinting, providing fail-safe defaults that avoid breaking the app when misconfigured. Supports CORS and relative/absolute URLs.

Common errors

error SRI integrity attribute not added to script/link tags ↓

cause Either fingerprint.prepend doesn't match the asset URL, or crossorigin is missing for cross-origin resources.

fix

Ensure fingerprint.prepend matches the asset URL's prefix and set SRI.crossorigin if the asset is on a different origin.

error Error: Invalid SRI configuration: crossorigin must be set for external resources ↓

cause Using a prepend URL that is not the same origin as the app without setting SRI.crossorigin.

fix

Set SRI.crossorigin to 'anonymous' or 'use-credentials' in the EmberApp config.

Warnings

breaking In v2.0.0, the paranoiaCheck option was disabled by default, which may allow missing fingerprints to go unnoticed. ↓

fix Set SRI.paranoiaCheck: true to restore v1 behavior.

gotcha SRI will not be applied if the asset URL does not start with fingerprint.prepend. ↓

fix Ensure fingerprint.prepend matches the actual asset prefix.

gotcha Cross-origin resources require SRI.crossorigin to be set, otherwise integrity is skipped. ↓

fix Set SRI.crossorigin to 'anonymous' or 'use-credentials' and ensure CORS headers are present.

deprecated The 'origin' option is deprecated in favor of setting SRI.crossorigin and ensuring fingerprint.prepend matches. ↓

fix Use SRI.crossorigin and fingerprint.prepend instead.

Install

npm install ember-cli-sri

yarn add ember-cli-sri

pnpm add ember-cli-sri

Imports

default

wrong

import emberCliSri from 'ember-cli-sri';

correct

Install with `ember install ember-cli-sri` (no explicit import required)

This is an Ember CLI addon; it is automatically loaded. No manual import needed.

Quickstart

Configures SRI with CORS for assets served from a CDN. Ensure origin matches prepend or crossorigin is set.

// In ember-cli-build.js
var app = new EmberApp({
  SRI: {
    crossorigin: 'anonymous'
  },
  fingerprint: {
    prepend: 'https://cdn.example.com/'
  }
});

// Then run: ember build --environment production
// Output will include integrity attributes on script/link tags.