Honestly, I don't see any downsides to just keeping the attributes. Integrity validation is a valid defense and if it's blocked for some reason that should be fixed on our side.
YiFei Zhu On Wed, Jun 24, 2020, 10:11 MusikAnimal <musikani...@gmail.com> wrote: > I wouldn't think you'd need any additional attributes. Just something like: > > <link rel="stylesheet" type="text/css" href=" > https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css > "> > > This is how I do it in my tools. > > ~ MA > > On Wed, Jun 24, 2020 at 10:15 AM Roy Smith <r...@panix.com> wrote: > >> Oh, this is unexpected. When I do the change diffed below, I get: >> >> Subresource Integrity: The resource ' >> https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css' >> has an integrity attribute, but the resource requires the request to be >> CORS enabled to check the integrity, and it is not. The resource has been >> blocked because the integrity cannot be enforced. >> >> >> It looks like I need to drop the integrity attribute as well. Or, is >> there value in keeping both the integrity and crossorigin="anonymous", >> since (I'm assuming) that will provide some protection against the file >> being unexpectedly replaced with something else? >> >> >> >> >> On Jun 24, 2020, at 9:41 AM, Roy Smith <r...@panix.com> wrote: >> >> Thank you for reminding me that fixing this has been on my list >> <https://github.com/roysmith/spi-tools/issues/4> for a while. My CSP-fu >> is weak. As I understand it, all I need do is: >> >> <!-- Bootstrap CSS --> >> <link >> rel="stylesheet" >> - href=" >> https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"; >> - >> integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" >> - crossorigin="anonymous"> >> + href=" >> https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css >> " >> + >> integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"> >> >> and similar changes for the other linked-to resources. Two specific >> questions: >> >> - The integrity token is the same, no matter which mirror I get it >> from? >> - I can drop the crossorigin attribute since I'm not doing CORS any >> more? >> >> >> On Jun 23, 2020, at 3:06 PM, MusikAnimal <musikani...@gmail.com> wrote: >> >> The Content Security Policy violations are report-only, if that's what >> you're referring to. Popper, Bootstrap, jQuery and Selectize are all >> available via https://cdnjs.toolforge.org/ which will get around the CSP >> directive. For fonts you could try https://fontcdn.toolforge.org/ >> >> ~ MA >> >> >> _______________________________________________ >> Wikimedia Cloud Services mailing list >> Cloud@lists.wikimedia.org (formerly lab...@lists.wikimedia.org) >> https://lists.wikimedia.org/mailman/listinfo/cloud >> >> >> _______________________________________________ > Wikimedia Cloud Services mailing list > Cloud@lists.wikimedia.org (formerly lab...@lists.wikimedia.org) > https://lists.wikimedia.org/mailman/listinfo/cloud
_______________________________________________ Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly lab...@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
