SRI Digest Hash Algorithm sha256 Doesn't Meet Recommended Baseline of sha384

[mattt]

• I tried updating to the latest version
  • I can't, there is an issue
  • This is about an < latest
    • I understand older versions may be unsupported
• I Am on Windows
  • Ubuntu Bash on Windows
  • Fedora Bash on Windows
  • Other Bash on Windows
• I Am on Linux
  • Ubuntu
  • Fedora
  • CentOS
  • Redhat
  • Debian
• I am on macOS 10.13
• I am on macOS 10.14
• I'm on Docker
  • I understand Docker may be unsupported

Description

When subresource integrity is enabled, Jekyll-Assets uses sha256 to calculate the digest. However, this algorithm doesn't meet the baseline recommendations from the Subresource Integrity specification.

Jekyll-Assets should instead use sha384 by default, and optionally allow for this to be configured (as discussed in #535).

Steps

• Enable subresource integrity in a Jekyll project that uses Jekyll-Assets
• Use the {% asset %} tag to include a script or stylesheet.

Output

<link rel="stylesheet" type="text/css" href="screen.css" integrity="sha256-_______" crossorigin="anonymous">

Expected

<link rel="stylesheet" type="text/css" href="screen.css" integrity="sha384-_______" crossorigin="anonymous">

[TCFox]

Possibly related to #270 ?

Don't quote me on this, but as far as I know SHA256 is not currently considered unsafe (as of 2019) and the convention to use SHA384 is largely due to an old bug in Firefox that resulted in SHA256/SHA512 SRI hashes being incorrectly validated. SHA384 was being validated correctly despite this bug, hence the convention to use it over SHA256.

I may have some of those details wrong, so apologies if that's not the exact story. It's based on some very fuzzy memories of how it all happened. Still would be great to see it changed to SHA384 and align it with W3C recommendations however I don't think it's an issue based on security concerns.