I wouldn't think you'd need any additional attributes. Just something like:
<link rel="stylesheet" type="text/css" href=" https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css "> This is how I do it in my tools. ~ MA On Wed, Jun 24, 2020 at 10:15 AM Roy Smith <r...@panix.com> wrote: > Oh, this is unexpected. When I do the change diffed below, I get: > > Subresource Integrity: The resource ' > https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css' > has an integrity attribute, but the resource requires the request to be > CORS enabled to check the integrity, and it is not. The resource has been > blocked because the integrity cannot be enforced. > > > It looks like I need to drop the integrity attribute as well. Or, is > there value in keeping both the integrity and crossorigin="anonymous", > since (I'm assuming) that will provide some protection against the file > being unexpectedly replaced with something else? > > > > > On Jun 24, 2020, at 9:41 AM, Roy Smith <r...@panix.com> wrote: > > Thank you for reminding me that fixing this has been on my list > <https://github.com/roysmith/spi-tools/issues/4> for a while. My CSP-fu > is weak. As I understand it, all I need do is: > > <!-- Bootstrap CSS --> > <link > rel="stylesheet" > - href=" > https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"; > - > integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" > - crossorigin="anonymous"> > + href=" > https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css > " > + > integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"> > > and similar changes for the other linked-to resources. Two specific > questions: > > - The integrity token is the same, no matter which mirror I get it > from? > - I can drop the crossorigin attribute since I'm not doing CORS any > more? > > > On Jun 23, 2020, at 3:06 PM, MusikAnimal <musikani...@gmail.com> wrote: > > The Content Security Policy violations are report-only, if that's what > you're referring to. Popper, Bootstrap, jQuery and Selectize are all > available via https://cdnjs.toolforge.org/ which will get around the CSP > directive. For fonts you could try https://fontcdn.toolforge.org/ > > ~ MA > > > _______________________________________________ > Wikimedia Cloud Services mailing list > Cloud@lists.wikimedia.org (formerly lab...@lists.wikimedia.org) > https://lists.wikimedia.org/mailman/listinfo/cloud > > >
_______________________________________________ Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly lab...@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
