Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add integrity check for remote resource #3348

Merged
merged 3 commits into from
Jan 21, 2022
Merged

Conversation

davel
Copy link
Contributor

@davel davel commented Dec 28, 2021

Adds an integrity attribute so that we no longer blindly trust the CDN for pdfobject.min.js. crossorigin is now necessary for the resource to continue to load.

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Don't blindly trust free CDNs.
@HackbrettXXX
Copy link
Collaborator

Thanks for the PR. How did you create the hash? cdnjs usually creates sha512 hashs:

<script src="https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.1.1/pdfobject.min.js" integrity="sha512-4ze/a9/4jqu+tX9dfOqJYSvyYd5M6qum/3HpCLr+/Jqf0whc37VUbkpNGHR7/8pSnCFw47T1fmIpwBV7UySh3g==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>

@davel
Copy link
Contributor Author

davel commented Jan 19, 2022

Thanks for the PR. How did you create the hash? cdnjs usually creates sha512 hashs:

<script src="https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.1.1/pdfobject.min.js" integrity="sha512-4ze/a9/4jqu+tX9dfOqJYSvyYd5M6qum/3HpCLr+/Jqf0whc37VUbkpNGHR7/8pSnCFw47T1fmIpwBV7UySh3g==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>

I have upgraded the hash to sha512.

To generate the hash I followed the suggested commands on the Mozilla link. This should give you the same hash,

curl https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.1.1/pdfobject.min.js | openssl dgst -sha512 -binary | openssl base64 -A

Copy link
Collaborator

@HackbrettXXX HackbrettXXX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, looks good. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants