[Feature Request] Support sub-resource integrity (SRI) for assets when serve_locally=False
#1505
Comments
|
Thinking about this more, it seems like this would have to be included here, and presumably the SRI hash generated during the |
AnnMarieW
pushed a commit
to AnnMarieW/dash
that referenced
this issue
Jan 6, 2021
AnnMarieW
pushed a commit
to AnnMarieW/dash
that referenced
this issue
Jan 6, 2021
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
When
serve_locally=False, scripts are retrieved from unpkg.com. From the example in the documentation, it looks like there is no subresource integrity information included, so if the CDN were to serve a malicious file, it would be run without complaint.Describe the solution you'd like
Since
dashhas full control over the component build and publishing process, it seems like it would be possible to generate the hashes required for SRI and ensure these are included.Describe alternatives you've considered
None.
Additional context
I tried to see if this issue had already been raised but couldn't find anything. I saw an issue in dashR, but that was related to explicitly including SRI in
external_scriptsand not in the component bundles delivered byserve_locally=False. It's also possible this is already included, and I've misunderstood!The text was updated successfully, but these errors were encountered: