The hot new security feature for the web is Subresource Integrity: basically, for each resource (Javascript, CSS) that your page loads, you specify an ‘integrity’ attribute which is a cryptographic hash of the expected contents of the resource. This prevents bad actors from doing nasty things like modifying your scripts on-the-fly before serving them to the user.
I’ve been thinking about ways to support this in Middleman, and it seems to me that you’d need an extension that runs after the resources are generated, but before the HTML pages are written out. Looking at the documentation for extensions, it seems that there are hooks for :after_configuration and :after_build, but I think the first one is probably too early, and the second is probably too late.
You could have an :after_build hook that scanned the resource files and wrote the appropriate hashes into a data file that could then be loaded on the next build – but that would mean that you’d need to build at least twice to get everything right.
So my first question is, is there a way to execute code at the appropriate time, i.e. before the HTML pages are built, but after any Javascript has been copied into the build directory, Sass has run to generate the stylesheets etc.?
The second question is, are there good (complete) examples of writing extensions? I started with the minimal example given on the custom extensions page, but it just dies during the build with an error “undefined method ‘registered’ for class”, so I suspect that the documentation hasn’t kept pace with the code and that something else needs to be added to the minimal example to make it work.
Any tips or suggestions would be gratefully received.