Swapped all subresource integrity hash checks to use SHA-384 instead …

…of the buggy SHA-256/512
JasonYao · Mar 6, 2021 · 9d9bafa · 9d9bafa
1 parent 2eca3e1
commit 9d9bafa
Show file tree

Hide file tree

Showing 2 changed files with 107 additions and 1 deletion.
diff --git a/layouts/partials/head.html b/layouts/partials/head.html
@@ -0,0 +1,106 @@
+<!-- Copy of Anatole theme's head, except we add in Hugo's SRI Fingerprinting to use SHA-384 instead of 256/512 due to issues verifying in the browser -->
+<head>
+    <title> {{.Site.Params.author}}{{ with .Title }} | {{ . }}{{ end }} </title>
+
+    <!-- Meta -->
+    <meta charset="utf-8">
+    {{- hugo.Generator -}}
+    <meta name="viewport" content="width=device-width,initial-scale=1,viewport-fit=cover">
+    <meta name="description" content="{{ .Site.Params.description }}">
+    {{- if .Site.Params.googleSiteVerify }}
+    <meta name="google-site-verification" content="{{ .Site.Params.googleSiteVerify }}">
+    {{- end -}}
+
+    <!-- CSS -->
+    {{ $style := resources.Get "css/style.css" }}
+    {{ $secureStyle := $style | resources.Minify | resources.Fingerprint "sha384" }}
+    <link rel="stylesheet"
+          href="{{ $secureStyle.Permalink }}"
+          integrity="{{ $secureStyle.Data.Integrity }}"
+          crossorigin="anonymous"
+          type="text/css">
+
+    {{ $markupHighlightStyle := resources.Get "css/markupHighlight.css" }}
+    {{ $secureMarkupHighlightStyle := $markupHighlightStyle | resources.Minify | resources.Fingerprint "sha384" }}
+    <link rel="stylesheet"
+        href="{{ $secureMarkupHighlightStyle.Permalink }}"
+        integrity="{{ $secureMarkupHighlightStyle.Data.Integrity }}"
+        crossorigin="anonymous"
+        type="text/css">
+
+    {{ range .Site.Params.customCss }}
+        {{ $minstyles := resources.Get . }}
+        {{ $secureMinstyles := $minstyles | resources.Minify | resources.Fingerprint "sha384" }}
+        <link rel="stylesheet"
+        href="{{ $secureMinstyles.Permalink }}"
+        integrity="{{ $secureMinstyles.Data.Integrity }}"
+        crossorigin="anonymous"
+        media="screen" />
+    {{ end }}
+
+    <link rel="stylesheet"
+    href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.2/css/all.min.css"
+    integrity="sha384-vSIIfh2YWi9wW0r9iZe7RJPrKwp6bG+s9QZMoITbCckVJqGCCRhc+ccxNcdpHuYu"
+    crossorigin="anonymous" />
+
+    <!-- Favicons -->
+    <link rel="shortcut icon" href="{{ .Site.Params.favicon | absURL }}favicon.ico" type="image/x-icon">
+    <link rel="apple-touch-icon" sizes="180x180" href="{{ .Site.Params.favicon | absURL }}apple-touch-icon.png">
+    <link rel="icon" type="image/png" sizes="32x32" href="{{ .Site.Params.favicon | absURL }}favicon-32x32.png">
+    <link rel="icon" type="image/png" sizes="16x16" href="{{ .Site.Params.favicon | absURL }}favicon-16x16.png">
+
+    <link rel="canonical" href="{{ .Permalink }}">
+
+    <!-- RSS -->
+    {{ with .OutputFormats.Get "rss" -}}
+        {{ printf `<link rel="%s" type="%s" href="%s" title="%s" />` .Rel .MediaType.Type .Permalink $.Site.Title | safeHTML }}
+    {{ end -}}
+
+    <!-- JavaScript -->
+    {{ $anatoleHeader := resources.Get "js/anatole-header.js" }}
+    {{ $secureHeaderJS := $anatoleHeader |  resources.Minify | resources.Fingerprint "sha384" }}
+    <script type="text/javascript"
+            src="{{ $secureHeaderJS.Permalink }}"
+            integrity="{{ $secureHeaderJS.Data.Integrity }}"
+            crossorigin="anonymous"></script>
+
+
+    {{ if not .Site.Params.disableThemeSwitcher }}
+        {{ $anatoleThemeSwitcher := resources.Get "js/anatole-theme-switcher.js" }}
+        {{ $secureThemeSwitcherJS := $anatoleThemeSwitcher |  resources.Minify | resources.Fingerprint "sha384" }}
+        <script type="text/javascript"
+                src="{{ $secureThemeSwitcherJS.Permalink }}"
+                integrity="{{ $secureThemeSwitcherJS.Data.Integrity }}"
+                crossorigin="anonymous"></script>
+    {{ end }}
+
+    {{- $js := "" -}}
+    {{- range .Site.Params.customJs -}}
+        {{- if or (in . "http://") (in . "https://") -}}
+            <script src="{{ . | relURL }}"></script>
+        {{- else -}}
+            {{- $customJS := resources.Get . -}}
+            {{- if $customJS -}}
+                {{- if eq $js "" -}}
+                    {{- $js = $customJS -}}
+                {{- else -}}
+                    {{- $js = slice $js $customJS | resources.Concat "js/custom.js" -}}
+                {{- end -}}
+            {{- end -}}
+        {{- end -}}
+    {{- end -}}
+
+    {{- if ne $js "" -}}
+    {{- $secureJS := $js |  resources.Minify | resources.Fingerprint "sha384" -}}
+    <script type="text/javascript"
+            src="{{ $secureJS.Permalink }}"
+            integrity="{{ $secureJS.Data.Integrity }}"
+            crossorigin="anonymous"></script>
+    {{- end -}}
+
+    <!-- Twitter Cards -->
+    {{ template "_internal/twitter_cards.html" . }}
+
+    <!-- Open Graph -->
+    {{ template "_internal/opengraph.html" . }}
+</head>
diff --git a/static/assets/global/add-code-fence-copy.js b/static/assets/global/add-code-fence-copy.js
@@ -49,7 +49,7 @@ if (navigator && navigator.clipboard) {
 } else {
     var script = document.createElement('script');
     script.src = 'https://cdnjs.cloudflare.com/ajax/libs/clipboard-polyfill/3.0.2/promise/clipboard-polyfill.promise.min.js';
-    script.integrity = 'sha512-O9Q+AhI1w7LT1/tHysPWDwwrgB1fKJ/nXPNLC30i8LF6RdSz4dGZyWB9WySag3DZMdGuK5yHJEdKXMKI2m5uSQ==';
+    script.integrity = 'sha384-3HmgCGnEQynNhj31qqqf7+bNviXS5XVIc/uvWbn1SfqnPwLvGZ9bssxdqtAV0tSA';
     script.crossOrigin = 'anonymous';
     script.onload = function() {
         addCopyButtons(clipboard);