fix: Allow scripts and styles to load cross-origin, e.g. from Google Translate #215
Conversation
|
Thanks!
Like this. It's a nice enhancement. |
Not something I can implement however. I'm stuck on Hugo 0.68.3 for a while, so the current theme version is unusable for me. |
…rinting BREAKING CHANGE: enableFingerprint config parameter no longer enables Subresource Integrity. If you need it, you have to specify enableSRI parameter as well
|
I’m finally on the current MemE version again, so I can test this. The additional commit introduces a new |
|
Merged, but the Chinese config change still needs to happen. |
|
Yes! I'm about to push a commit... Guess I should do it firstly next time, before the approval on GitHub CLI. Anyway, thanks again! |
…rinting (reuixiy#215) This allows scripts and styles to load cross-origin, e.g. when the page is viewed from Google Translate. BREAKING CHANGE: enableFingerprint config parameter no longer enables Subresource Integrity. If you need it, you have to specify enableSRI parameter as well
I noticed that neither scripts nor styles of my websites were loading when somebody attempted to translate an article via Google Translate. That's due to
enableFingerprint = trueconfiguration option - it doesn't merely enable fingerprinting but also Subresource Integrity. Turns out, cross-origin requests withintegrityattribute are blocked by default, otherwise these could be misused to leak information.The solution consists of two parts:
crossorigin="anonymous"attribute to the requests in question (done here).Access-Control-Allow-Origin: *header to JS/CSS requests - has to be done in server configuration.The second part probably needs documenting. The other option would be to separate fingerprinting (useful by itself to avoid using outdated scripts/styles) and Subresource Integrity in the configuration.