New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding subresource hashes to CDN links. #17729
Conversation
In Firefox 43 and Chrome 45 there will be support for Subresource Iintegrity (SRI). More information here: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
This would also need a port for the |
@@ -28,5 +28,8 @@ expo: http://expo.getbootstrap.com | |||
|
|||
cdn: | |||
css: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css | |||
css_hash: sha384-pdapHxIh7EYuwy6K7iE41uXVxGCXY0sAjBzaElYGJUrzwodck3Lx6IE2lA0rFREo |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should probably include a comment here saying how to generate the hash
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I used https://srihash.org , instructions are also on that page.
cat FILENAME.js |
openssl dgst -sha384 -binary |
openssl enc -base64 -A
For porting to 4, it might be best to make this apart of building the documentation (if possible).
Shouldn't this be applied for jQuery loaded from Google's CDN? |
It can be applied to CSS or JS resources. There is no harm in applying it all over. Unless you're afraid the hash will fail and cause page errors, but you're already trusting a third party to serve code to you.Chris Barry On October 1, 2015 1:50:27 AM EDT, XhmikosR notifications@github.com wrote:
|
Merged. Thanks! |
In Firefox 43 and Chrome 45 there will be support for Subresource Iintegrity (SRI). More information here: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity Closes twbs#17729 by merging a tweaked version of it.
In Firefox 43 and Chrome 45 there will be support for Subresource Integrity (SRI). More information here: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity