Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement SRI, says Moz Observatory #973

Closed
colindean opened this issue Aug 20, 2023 · 7 comments
Closed

Implement SRI, says Moz Observatory #973

colindean opened this issue Aug 20, 2023 · 7 comments
Labels
outdated

Comments

@colindean
Copy link
Sponsor Member

Quoth Mozilla Observatory, which gives brew.sh a D rating as of d60d598:

Test Pass Score Reason Info
Subresource Integrity ❌   -5 Subresource Integrity (SRI) not implemented, but all external scripts are loaded over HTTPS Subresource Integrity protects against JavaScript files and stylesheets stored on content delivery networks (CDNs) from being maliciously modified.

https://infosec.mozilla.org/guidelines/web_security#subresource-integrity has instructions.
@colindean
Copy link
Sponsor Member Author

It looks like we have some SRI in place already but need to add it one other:

brew.sh/_layouts/base.html

Lines 158 to 165 in d60d598

<script src="https://cdn.jsdelivr.net/npm/anchor-js@5.0.0/anchor.min.js"
integrity="sha256-aQmOEF2ZD4NM/xt4hthzREIo/2PFkOX/g01WjxEV7Ys="
crossorigin="anonymous"
onload="loadAnchors()"
async></script>
<script src="https://cdn.jsdelivr.net/npm/@docsearch/js@3/dist/umd/index.min.js"
onload="loadSearch('{{ page.lang }}', '{{ page.search_site }}')"
async></script>

colindean added a commit to colindean/brew.sh that referenced this issue Aug 20, 2023
@colindean
Set specific version of Algolia docsearch, set SRI
fc07155 
I was about to drop the SRI attributes, but then noticed that jsdelivr had some warnings:

* Skipped minification because the original files appear to be already minified.
* Original file: /npm/@docsearch/js@3.5.2/dist/umd/index.js
* Do NOT use SRI with dynamically generated files! More information: https://www.jsdelivr.com/using-sri-with-dynamic-files

So, to heed these warnings, I decided it was best to pin to a particular version of docsearch and use the pre-minified index.js to avoid dynamic modification.

Work toward Homebrew#973
@colindean colindean mentioned this issue Aug 20, 2023
Closed
@colindean
Copy link
Sponsor Member Author

There's an issue open upstream about this: algolia/docsearch#1561

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale label Sep 13, 2023
@colindean
Copy link
Sponsor Member Author

Keep open. I have a plan that might involve moving that in-page js to a file.

@github-actions github-actions bot removed the stale label Sep 13, 2023
@github-actions
Copy link

github-actions bot commented Oct 5, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale label Oct 5, 2023
@colindean
Copy link
Sponsor Member Author

Still on my todo list.

@github-actions github-actions bot removed the stale label Oct 6, 2023
@MikeMcQuaid
Copy link
Member

Don't think we need to keep this issue open given the PR.

@MikeMcQuaid MikeMcQuaid closed this as not planned Won't fix, can't repro, duplicate, stale Oct 6, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MikeMcQuaid @colindean