Giters

Homebrew / brew.sh

🔖 The Homebrew homepage

Home Page:https://brew.sh

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Implement SRI, says Moz Observatory

colindean opened this issue · comments

commented

Quoth Mozilla Observatory, which gives brew.sh a D rating as of d60d598:

Test Pass Score Reason Info
Subresource Integrity ❌   -5 Subresource Integrity (SRI) not implemented, but all external scripts are loaded over HTTPS Subresource Integrity protects against JavaScript files and stylesheets stored on content delivery networks (CDNs) from being maliciously modified.

https://infosec.mozilla.org/guidelines/web_security#subresource-integrity has instructions.

commented

It looks like we have some SRI in place already but need to add it one other:

brew.sh/_layouts/base.html

Lines 158 to 165 in d60d598

<script src="https://cdn.jsdelivr.net/npm/anchor-js@5.0.0/anchor.min.js"
integrity="sha256-aQmOEF2ZD4NM/xt4hthzREIo/2PFkOX/g01WjxEV7Ys="
crossorigin="anonymous"
onload="loadAnchors()"
async></script>
<script src="https://cdn.jsdelivr.net/npm/@docsearch/js@3/dist/umd/index.min.js"
onload="loadSearch('{{ page.lang }}', '{{ page.search_site }}')"
async></script>

commented

There's an issue open upstream about this: algolia/docsearch#1561

commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

commented

Keep open. I have a plan that might involve moving that in-page js to a file.

commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

commented

Still on my todo list.

commented

Don't think we need to keep this issue open given the PR.