Facilitate Subresource Integrity #2
Comments
|
Small nit: Mozilla is now pushing sha384 instead as their recommended default since apparently the NSA no longer recommends sha256: mozilla/srihash.org@ea93c4c |
|
@MatthewHerbst good call 👍 |
|
Will go ahead and implement this =) I'll try to get it done this week. This has been part of the plan all along, was sorta rushing to get this out ASAP for timing, but excited to get some new stuff in here =) |
|
Has this been implemented yet? If so, the documentation needs to be updated. |
|
Not yet -- I'm working on it today, actually. I've been sorta tied down finishing a work deadline and am just getting back to making upgrades to PassProtect now and through the next 2 weeks =) |
|
Hi, any update on this? Would be nice to implement this. |
|
Having SRI added would be a big win. |
|
Agreed. Looking forward to it. |
To allow SRI reliably, it'd be nice to have access to versioned scripts (and CORS headers) if we're to implement this in a way that helps reduce the risk of XSS on sites that are relying on the CDN.
Steps:
Add a version to the CDN URL:
Currently it's:
A URL such as
https://cdn.passprotect.io/1.0.0/passprotect.min.jswould then allow us to rely on a specific version (which means that SRI won't break when changes are made)Add CORS header:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Set the header on the resource to:
Add SRI to the docs:
There may be a way of automating this into the docs when changes are made, the command to generate an integrity hash is:
openssl dgst -sha256 -binary file.js | openssl base64 -AThe docs can then show the integrity hash to use like so:
More info in great blog posts from Scott Helme https://scotthelme.co.uk/subresource-integrity/ https://scotthelme.co.uk/tag/sri/
The text was updated successfully, but these errors were encountered: