Include hashes for CDN Javascript for security #761
Labels
format:HTML
pertains to exporting to the HTML format
good first issue
great for new contributors
help wanted
Comments
takluyver
added
help wanted
good first issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I just found out about 'subresource integrity' - any JS/CSS loaded from an external location can be tagged with a hash, which modern browsers can verify to ensure that it hasn't been tampered with:
https://scotthelme.co.uk/subresource-integrity/
Nbconvert HTML output can be displayed from the domain of a running notebook server (when you do 'print preview' in the notebook editor). So if one of the CDNs we use was compromised to serve malicious Javascript, it could interact with the notebook server, send code to a kernel, and take control of your computer. Hopefully cdnjs and unpkg both take security seriously, but it's easy for us to take an extra precaution.
There's a handy tool here that can generate the necessary code for a given URL: https://report-uri.com/home/sri_hash
The text was updated successfully, but these errors were encountered: