Add support for SRI #555
Comments
|
Hey @jonathanKingston, I agree SRI will be a great once the W3C spec is finished. Correct me if I am wrong, but by adding it now:
|
|
FWIW, Chrome implemented in June: https://code.google.com/p/chromium/issues/detail?id=355467 |
|
ah thank you @ericlaw1979 |
|
@jonathanKingston can you shoot me an email? jdorfman at maxcdn Thanks! |
|
@ericlaw1979 looks like @jonathanKingston My question is the <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" integrity="sha256-MfvZlkHCEqatNoGiOXveE8FIwMzZg4W85qfrfIFBfYc=" crossorigin="anonymous">Reason I ask is with CORS, as I'm sure you know, adding |
|
@freddyb could you help a SRI noob out? ^ |
|
@jdorfman sorry for the delayed response, just got home. Anonymous means don't send credentials: https://www.npmjs.com/package/ember-cli-sri#crossorigin-attribute |
|
Yup Chrome Canary has an implementation in for testing purposes. There are some caveats however they should not be important here:
The spec changes that have been mentioned so far:
So yeah |
|
@jonathanKingston that clears everything up for me. I will work with @jmervine on getting something implemented in the near future. |
|
@jonathanKingston would it make sense to have a checkbox to toggle SRI until the spec is complete? My fear is something like this happens. |
|
Before it is a 'last call' then certainly that might be a good idea. (I don't expect that time frame to be very long at all). Long term it would be nice to not give people the choice in what they copy (educating developers that the feature exists is the core reason I am advocating it here :) ). Please don't hesitate to pop me a mail if you have questions. Thank you! |
|
@jonathanKingston how about something like this:
|
|
👍 looks good to me |
|
Alrighty then. @jmervine and I will start working on this...Or you can make a PR and we love you long time ;) |
|
Not today certainly, however I will look into it. The hardest part of this task looks like moving out the file list here: To be generated by a script when you are adding a new version. |
|
Also looks like the 'hellobar' code at the bottom of the page isn't there on localhost meaning I have to manually expand the code window as the toggle isn't working. Nearly got a PR ready. |
Adding in basic support for SRI - relates to: #555
|
Done #564 |
This adds the `integrity` and `crossorigin` attributes to the CDN install instructions. BootstrapCDN [implented this](jsdelivr/bootstrapcdn#555) in 2015 already. Copied from https://www.srihash.org/ (which I used to calculate these hashes): SRI is a new [W3C specification](https://www.w3.org/TR/SRI/) that allows web developers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source. Learn more about [how to use subresource integrity](https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity) on MDN.
As a CDN provider it will soon become good practice to provide integrities.
See:
jsdelivr/jsdelivr#6029
cdnjs/cdnjs#4599
For all static assets that never change can integrities be added?
I'm here to help if anything is needed.
The text was updated successfully, but these errors were encountered: