Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement SRI on external scripts #106

Open
budparr opened this issue Jul 1, 2020 · 1 comment
Open

Implement SRI on external scripts #106

budparr opened this issue Jul 1, 2020 · 1 comment
Assignees
@budparr
Labels
Inactive: Waiting
Milestone
Improve Security

Comments

@budparr
Copy link
Member

budparr commented Jul 1, 2020
edited
Loading

Currently we only use Fathom as an external script and it can't use SRI owing to its CORS policy.

https://www.srihash.org/, enter https://cdn.usefathom.com/script.js

The URL does not support Cross-Origin Resource Sharing (CORS), when it should send a response header like Access-Control-Allow-Origin: *

I'm writing to them to ask if this is possible.
@budparr budparr added this to the Improve Security milestone Jul 1, 2020
@budparr budparr self-assigned this Jul 1, 2020
@budparr
Copy link
Member Author

budparr commented Jul 2, 2020

I have reached out to Fathom and SRI is on their roadmap. They did not give a timeline. I've determined it's not possible to hash the script ourselves because of Fathom's CORS policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@budparr budparr

Labels
Inactive: Waiting
Projects
None yet
Milestone
Improve Security
Development

No branches or pull requests
1 participant
@budparr