Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use integrity attribute for javascripts from CDN #2548

Closed
stevepiercy opened this issue May 7, 2016 · 5 comments
Closed

use integrity attribute for javascripts from CDN #2548

stevepiercy opened this issue May 7, 2016 · 5 comments
Labels
sprintable

Comments

@stevepiercy
Copy link
Member

Our scaffolds and possibly other items reference jQuery without an integrity attribute. From http://jquery.com/download/#jquery-39-s-cdn-provided-by-maxcdn

The jQuery CDN supports https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity (SRI) which allows the browser to verify that the files being delivered have not been modified. This https://www.w3.org/TR/SRI/ is currently being implemented by browsers. Adding the new integrity attribute will ensure your application gains this security improvement as browsers support it.

<script
   src="https://code.jquery.com/jquery-1.12.3.min.js"
   integrity="sha256-aaODHAgvwQW1bFOGXMeX+pC4PZIPsvn2h1sArYOhgXQ="
   crossorigin="anonymous"></script>
@ztane
Copy link
Contributor

ztane commented Jul 3, 2016

... and the important thing is to remember to change these integrity stamps as you update versions.

It happened to me that I copied these integrity stamps verbatim from getbootstrap.com, worked for me (on Firefox) and failed spectacularly then on customer's Chrome :D

@ikolar
Copy link

ikolar commented Dec 6, 2016

Working on it ...

@fangpenlin
Copy link
Contributor

I can handle this

@stevepiercy
Copy link
Member Author

So... I hate to say this and I apologize for not stating this up front, but things have changed since this issue was created and I did not provide a complete description:

If you could also update all those places, then I'd prefer to merge all the PRs in one swoop. Thank you!

@stevepiercy stevepiercy mentioned this issue May 22, 2017
Merged
@fangpenlin
Copy link
Contributor

it's all good, let me try to fix them all at once

This was referenced May 22, 2017
Merged
Merged
Merged
stevepiercy added a commit that referenced this issue May 23, 2017
@stevepiercy
Merge pull request #3055 from fangpenlin/fix.2548
f6f6d13 
Fix #2548, add SRI has for script tags
stevepiercy pushed a commit to stevepiercy/pyramid that referenced this issue May 23, 2017
@fangpenlin @stevepiercy
Fix Pylons#2548, add SRI has for script tags
b3b91f4 
(cherry picked from commit 3b340c9)
@stevepiercy stevepiercy mentioned this issue May 23, 2017
Merged
This was referenced Jun 20, 2017
Merged
Closed
This was referenced Jun 27, 2017
Merged
Closed
Merged
Closed
This was referenced Jul 10, 2017
Closed
Merged
Closed
@pyup-bot pyup-bot mentioned this issue Jul 24, 2017
Closed
This was referenced Sep 29, 2017
Merged
Closed
Merged
@pyup-bot pyup-bot mentioned this issue Dec 12, 2017
Merged
@pyup-bot pyup-bot mentioned this issue Jun 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sprintable
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ikolar @stevepiercy @fangpenlin @ztane