-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: integrity attribute added for rel icon #326
Comments
As usual, u need to download the stackblitz and execute it locally, it seems. |
Hey @dargmuesli Thanks for reporting this issue. @vejja do you think that we should fix it for 1.0.0 or for the patch like 1.0.1? |
Hi @dargmuesli My understanding is that the W3C spec (https://www.w3.org/TR/SRI/) is quite loose; It is true that all examples in the document are about stylesheets. Also section 3.8 only describes links for stylesheets. There is an overall feeling that SRI was initially intended for stylesheets only (in the case of links). However that section 3.8 seems to be restricted to required modifications of the HTML In addition 3.4 specifically states:
Therefore my view was that we can cover all links elements if we have the hash. Edit: I am testing on Chrome, which browser do you use ? |
From my side, if it does not break anything right now, we could proceed with 1.0.0 and release a fix for 1.0.1. Or if we decide not to change it to support future cases to just leave it as it is :) |
Well it's not urgent, so you can release v1, but it makes integration with Nuxt module html-validator fail.
Isn't there already the logic that should filter the tags on which integrity is to be added in the following place?
|
Well you're correct.
Yes, although that part is CSP-related. It extracts the integrity hashes from HTML to copy them into the CSP header. So here I made sure that I was only extracting the hashes when valid from an HTML perspective. |
Thanks for additional info guys. Do you think it should be added to 1.0.0 or can be added as 1.0.1? |
For me |
Should be fixed in 1.0.0 :) |
Version
nuxt-security: 1.0.0-rc.5
nuxt: 3.8.2
Reproduction Link
https://stackblitz.com/edit/github-bln8kp?file=nuxt.config.ts
Steps to reproduce
Use
@nuxtseo/module
andnuxt-security
.What is Expected?
The head includes
As
rel="icon"
should be excluded from havingintegrity
added.What is actually happening?
The head includes
The text was updated successfully, but these errors were encountered: