-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable SRI on CDN docs #246
Comments
Cool idea. I see one little problem, browser compatibility. Should FUI update browser compatibility (only for CDN of course) or offer both CDN and CDN with SRI? |
@TheJltres For my understanding the |
Didn't know, thanks! |
I'm brand new to FUI, looking to switch away from BS4, so I'm diving in head-first to the project. :) Maybe add a note to the docs explaining that not all browsers understand SRI and won't see the benefit? Since my day job is Information Security, I'm all about educating developers to make better decisions. I'm happy to submit a PR to the docs if it'd help explain why SRI, or if you feel like it'd cause more confusion, totally fine. |
@h4ckninja You are welcome to prepare a PR 🙂 The only Problem i see is that we would have to update that hash every time we do a release (otherwise the old hash will prevent loading the new version which is even worse if people copy the docs code) So you may prepare a PR which is not only adding the |
I take a look on how to do it, and I think get it from jsdelivr would not be the best way, they don't have an API for that, and make sense, you can generate that token with a simple command like this: Tools for generating SRI hashes
So I think the best possible implementation is a variable on Or something like this https://stackoverflow.com/questions/12460373/execute-command-line-order-from-coffee-script, but the code will be generated each time a request is done... |
jsdelivr do have API. Here's how you can list files for FUI package: https://data.jsdelivr.com/v1/package/npm/[email protected] But, it's not easy to parse SRI hash from the JSON object. There's no other API endpoint to get only for SRI hash for each file. You'll have to list the files from FUI package and then filter the Here's API documentation (https://github.com/jsdelivr/data.jsdelivr.com). It's easier to get SRI hash from cdnjs and unpkg than jsdelivr. cdnjs: SRI hash is in root level of response JSON. Each file also have particular SRI hash. unpkg: Note the query string |
Apologies, it's been a busy week at work. I can try to dive in this weekend. Ideally, I think, would be to generate the hash prior to pushing to the CDN - at build time. The reason is the SRI hash is to mitigate compromised packages on CDNs, but if we don't know the state of the of the file on the CDN prior to obtaining the hash, we could be hashing a compromised file. I don't know what the build pipeline looks like for Fomantic, but would it be possible to generate the hash, push them to the docs that get built, and publish? |
@ko2in I inspect their page, and only use that API for the badge, but nice to see there is more information Maybe they do that on server side |
Hi,
This is part feature request, part security. Subresource Integrity is encouraged on CDN files. On Getting Started, three CDNs are linked, but none of them use SRI to mitigate against the issue of CDN's delivering malware through modified JavaScript. This has happened before with a number of projects, such as jQuery.
The text was updated successfully, but these errors were encountered: