Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

patch: Add Subresource Integrity to scripts being fetched #2910

Merged
merged 1 commit into from
Feb 19, 2024
Merged

patch: Add Subresource Integrity to scripts being fetched #2910

merged 1 commit into from
Feb 19, 2024

Conversation

vipulgupta2048
Copy link
Member

@vipulgupta2048 vipulgupta2048 commented Feb 19, 2024
edited
Loading

Adding Subresource integrity to script tags in the docs.

Hash generated from: https://www.srihash.org/
Report: https://github.com/balena-io/docs/security/code-scanning/1
Solves: #2909

Signed-off-by: Vipul Gupta (@vipulgupta2048) [email protected]

@vipulgupta2048 vipulgupta2048 linked an issue Feb 19, 2024 that may be closed by this pull request
Add SRI to Docs JS resources being fetched from CDN's #2909
Closed
@flowzone-app flowzone-app bot enabled auto-merge February 19, 2024 09:24
thgreasi
thgreasi reviewed Feb 19, 2024
View reviewed changes
templates/_devices.html
@@ -1,4 +1,4 @@
<script src="//cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.min.js" type="text/javascript"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.min.js" integrity="sha512-3oappXMVVac3Ge3OndW0WqpGTWx9jjRJA8SXin8RxmPfc8rg87b31FGy14WHG/ZMRISo9pBjezW9y00RYAEONA==" crossorigin="anonymous"></script>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs say that you could just use crossorigin as a tag w/o a value, and that should be equivalent to anonymous

Setting the attribute name to an empty value, like crossorigin or crossorigin="", is the same as anonymous.

But other than that lgtm 👍

See: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin#sect1

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL.
A field without a value is just confusion and an extra google search waiting to happen. Leaving it explicit makes the code self-explanatory.

@thgreasi thgreasi disabled auto-merge February 19, 2024 09:44
@vipulgupta2048 vipulgupta2048 merged commit af01434 into master Feb 19, 2024
47 checks passed
@vipulgupta2048 vipulgupta2048 deleted the vipulgupta2048/source-integrity branch February 19, 2024 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thgreasi thgreasi thgreasi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add SRI to Docs JS resources being fetched from CDN's
2 participants
@vipulgupta2048 @thgreasi