Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use CDN with SRI #2011

Closed
fulldecent opened this issue Oct 21, 2018 · 4 comments
Closed

Use CDN with SRI #2011

fulldecent opened this issue Oct 21, 2018 · 4 comments

Comments

@fulldecent
Copy link

fulldecent commented Oct 21, 2018

Presently the README recommends using CDN like this:

<script src="https://cdn.jsdelivr.net/gh/ethereum/web3.js/dist/web3.min.js"></script>

Source: https://github.com/ethereum/web3.js/blob/develop/README.md

Please switch to a better CDN provider that providers stable resources and integrity hashes (SRI). This will remove a current vulnerability in the system and it will improve resource caching.

@MartinKolarik
Copy link

No need to switch the provider, just use this if you want SRI: <script src="https://cdn.jsdelivr.net/gh/ethereum/web3.js@1.0.0-beta.36/dist/web3.min.js" integrity="sha256-nWBTbvxhJgjslRyuAKJHK+XcZPlCnmIAAMixz6EefVk=" crossorigin="anonymous"></script> (from https://www.jsdelivr.com/package/gh/ethereum/web3.js?path=dist).

@fulldecent note that this link uses a different package (or a different source, actually - GitHub) than jsdelivr/jsdelivr#18105 because this project doesn't ship the build file in npm package.

@fulldecent
Copy link
Author

fulldecent commented Oct 21, 2018

Thank you, posted in pull request #2012

@MartinKolarik
Copy link

In my experience many people (and even more project maintainers) prefer the versionless links though because they don't become outdated (or don't have to be updated every time). A good compromise might be keeping the current link without SRI and adding a note like "or get a link with SRI enabled here", linking to https://www.jsdelivr.com/package/gh/ethereum/web3.js?path=dist

@fulldecent
Copy link
Author

The programmers become irrelevant when the customers leave. Security first!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants