Add SRI to CDN code snippets

Add SRI to CDN code snippets

CorralPeltzerCorralPeltzer Posts: 3Questions: 2Answers: 0

Subresource Integrity is a well known W3C recommendation to ensure external resources are not modified, and some public CDNs offer the links with SRI in them, like CDNJS or jsDelivr. It would be great that all code snippets in the CDN and the Download Builder added the integrity tag. It is also easy to automate the hash generation (openssl dgst -sha384 -binary filename.js | openssl base64 -A).

More info:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
https://www.w3.org/TR/SRI/
https://en.wikipedia.org/wiki/Subresource_Integrity

This question has an accepted answers - jump to answer

Answers

  • allanallan Posts: 61,446Questions: 1Answers: 10,054 Site admin
    Answer ✓

    Completely agree. I've just not managed to get around to it yet. It is something that is on my radar and plan to add in future.

    Allan

  • melodiouscodemelodiouscode Posts: 2Questions: 0Answers: 0

    Any news on this?

  • allanallan Posts: 61,446Questions: 1Answers: 10,054 Site admin

    Not yet sorry. It is still on my list of things to do - its just a long list...

    Allan

  • melodiouscodemelodiouscode Posts: 2Questions: 0Answers: 0

    I know the feeling! Am I right in thinking that because you have versioned the endpoints I am safe adding SRI myself and you aren't going to change existing versions and break things!?

    Cheers

    James

  • allanallan Posts: 61,446Questions: 1Answers: 10,054 Site admin

    Spot on. Once a file is on the CDN is isn't going to change.

    Allan

  • CorralPeltzerCorralPeltzer Posts: 3Questions: 2Answers: 0
    edited October 2019

    Hi! After adding SRI to my website DataTables CDN resources (specifically https://cdn.datatables.net/v/bs/dt-1.10.15/r-2.1.1/datatables.min.css and https://cdn.datatables.net/v/bs/dt-1.10.15/r-2.1.1/datatables.min.js), SRI validation started failing a few days ago and partially broke my site. The failures also seem to be location dependent, so I assume this is related to the new CDN software announced.

    The files appear to be text identical diffing with the Internet Archive versions from a year ago, but I would advise to keep the files in the CDN also binary identical as a good practice.

  • colincolin Posts: 15,112Questions: 1Answers: 2,583

    Hi @CorralPeltzer ,

    The files appear to be text identical diffing with the Internet Archive versions from a year ago, but I would advise to keep the files in the CDN also binary identical as a good practice.

    We implemented an update to the CDN recently, and as a result the files unavoidably changed. Agreed that it's good practice to keep them binary identical - this was a one-off change and we don't expect to make any changes in the future.

    Apologies for the inconvenience.

    Cheers,

    Colin

This discussion has been closed.