Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding subresource hashes to CDN links. #17729

Closed
wants to merge 1 commit into from
Closed

Adding subresource hashes to CDN links. #17729

wants to merge 1 commit into from

Conversation

chris-barry
Copy link

In Firefox 43 and Chrome 45 there will be support for Subresource Integrity (SRI). More information here: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

@chris-barry
Adding subresource hashes to CDN links.
ba6155c 
In Firefox 43 and Chrome 45 there will be support for Subresource
Iintegrity (SRI). More information here:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
@cvrebert
Copy link
Collaborator

This would also need a port for the v4-dev branch.

cvrebert
cvrebert reviewed Sep 29, 2015
View reviewed changes
_config.yml
@@ -28,5 +28,8 @@ expo: http://expo.getbootstrap.com

cdn:
css: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css
css_hash: sha384-pdapHxIh7EYuwy6K7iE41uXVxGCXY0sAjBzaElYGJUrzwodck3Lx6IE2lA0rFREo
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should probably include a comment here saying how to generate the hash

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used https://srihash.org , instructions are also on that page.

cat FILENAME.js |
openssl dgst -sha384 -binary |
openssl enc -base64 -A

For porting to 4, it might be best to make this apart of building the documentation (if possible).

@XhmikosR
Copy link
Member

XhmikosR commented Oct 1, 2015

Shouldn't this be applied for jQuery loaded from Google's CDN?

@chris-barry
Copy link
Author

It can be applied to CSS or JS resources. There is no harm in applying it all over. Unless you're afraid the hash will fail and cause page errors, but you're already trusting a third party to serve code to you.

Chris Barry

On October 1, 2015 1:50:27 AM EDT, XhmikosR notifications@github.com wrote:

Shouldn't this be applied for jQuery loaded from Google's CDN?

Reply to this email directly or view it on GitHub:
#17729 (comment)

@cvrebert cvrebert added this to the v3.3.6 milestone Oct 24, 2015
@cvrebert cvrebert closed this in 9aeec56 Oct 24, 2015
cvrebert added a commit that referenced this pull request Oct 24, 2015
@cvrebert
Regenerate Getting Started page; refs #17729
10209ae
@cvrebert
Copy link
Collaborator

Merged. Thanks!
Also updated the relevant page of the hosted docs: http://getbootstrap.com/getting-started/#download-cdn

@mdo mdo mentioned this pull request Oct 24, 2015
Closed
cvrebert added a commit that referenced this pull request Oct 24, 2015
@cvrebert
Port #17729 to v4: Add SRI hashes to CDN links in docs
3bc5fb9 
[skip sauce]
@cvrebert cvrebert mentioned this pull request Oct 24, 2015
Merged
chiraggmodi pushed a commit to chiraggmodi/bootstrap that referenced this pull request Apr 8, 2019
@chris-barry @chiragatlas
Adding subresource hashes to CDN links.
6358587 
In Firefox 43 and Chrome 45 there will be support for Subresource
Iintegrity (SRI). More information here:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Closes twbs#17729 by merging a tweaked version of it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
docs feature v3
Projects
None yet
Milestone
v3.3.6
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@chris-barry @cvrebert @XhmikosR