Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add subresource integrity hashes #306

Open
Fil opened this issue Dec 4, 2023 · 3 comments · Fixed by #317
Open

Add subresource integrity hashes #306

Fil opened this issue Dec 4, 2023 · 3 comments · Fixed by #317
Labels
enhancement New feature or request

Comments

@Fil
Copy link
Contributor

Fil commented Dec 4, 2023

We could add subresource integrity hashes to scripts (and stylesheets?).

Related:
@Fil Fil added the enhancement New feature or request label Dec 4, 2023
@Fil Fil added this to the Future milestone Dec 4, 2023
@Fil Fil mentioned this issue Dec 4, 2023
Merged
7 tasks
@mbostock mbostock mentioned this issue Dec 5, 2023
Merged
@mbostock mbostock self-assigned this Dec 5, 2023
@mbostock
Copy link
Member

mbostock commented Dec 6, 2023

I had to turn this off because +esm isn’t compatible with sri; the contents can change. So this probably needs to be paired with #20 to download the modules themselves and thereby guarantee that they can’t change.

@mbostock mbostock reopened this Dec 6, 2023
@mbostock mbostock mentioned this issue Dec 6, 2023
Closed
@mbostock mbostock removed their assignment Jan 23, 2024
@Fil
Copy link
Contributor Author

Fil commented Mar 23, 2024

Does this even matter anymore since everything is now self-hosted? The scenario where an attackers hacks into the scripts is at the same threat level as an attacker hacks into the website.

@mbostock
Copy link
Member

I think it’s a lot less important, certainly. I don’t know if there’s a compelling use case if everything is self-hosted, but we could in theory still support it.

@mbostock mbostock removed this from the Future milestone Mar 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

transitive module preloads & subresource integrity observablehq/framework
2 participants
@Fil @mbostock