Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make SRI default #279

Open
MattIPv4 opened this issue May 13, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@MattIPv4
Copy link
Member

commented May 13, 2019

Following the recent article from Troy Hunt and the feedback of users on Twitter, I think it would be best for us to ensure that SRI options are the default.

I feel the best way to implement this would be to make the "Copy" button default to "Copy Link/Script Tag with SRI" for all JS/CSS assets.

Additionally, if a user uses the "Copy Link/Script Tag" button that doesn't make use of SRI, show a modal explaining the benefits of using SRI.

@PeterDaveHello

This comment has been minimized.

Copy link
Member

commented May 13, 2019

@MattIPv4 before that, I prefer to increase the sha level, and on the other side, the modal would be to aggressive to me.

@MattIPv4

This comment has been minimized.

Copy link
Member Author

commented May 13, 2019

@PeterDaveHello I'll leave the change in sha level to you :)

With the modal, I think it could be something that could use a cookie or similar so that it only needs to show once, simply educating users who may not be aware of the benefits to security of using SRO.

However, if we make the SRI copy default and "fade" the non-sri copy options, this may on its own encourage more users to use SRI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.