hugo-theme-dream icon indicating copy to clipboard operation
hugo-theme-dream copied to clipboard

Published 20 hours ago verified publisher icon g1eny0ung

JS is loaded from CDN and has no SRI

Open Darthagnon opened this issue 3 years ago • 5 comments

The theme is full of remote JS. I find this annoying, for privacy and security reasons. Doesn't seem much point in using a CDN, unless it's SaaS Javascript that updates all the time. SRI hashes, to ensure no malicious tampering has happened, are also omitted.

My use case, I'm making a local website to run off my PC in restricted internet environments, so remote JS (or remote anything, really) is a big no. If I remember, self-contained web content is also a prerequisite for IPFS websites. More reliable, too, in case JS update or original developer messed things up.

Food for thought articles on why remote JS is bad:

  • https://www.theverge.com/2022/1/9/22874949/developer-corrupts-open-source-libraries-projects-affected
  • https://blog.wesleyac.com/posts/why-not-javascript-cdn
  • https://www.theverge.com/2016/3/24/11300840/how-an-irate-developer-briefly-broke-javascript

I'm currently working on a "local JS" branch in my fork. I'll be adding SRI hashes to remote calls, and then commenting them in favour of locally stored JS.

Darthagnon avatar Jan 10 '22 22:01 Darthagnon

See this branch: https://github.com/Darthagnon/hugo-theme-dream/tree/local-js

Darthagnon avatar Jan 11 '22 00:01 Darthagnon

Makes sense. I think both CDN and local resources have their advantages and disadvantages. Maybe I can specify options to decide whether to enable CDN or not?

SRI hashes, to ensure no malicious tampering has happened, are also omitted.

This is indeed missing, I will recheck and add to each remote resource. Thanks for pointing this! 🍻

g1eny0ung avatar Jan 11 '22 08:01 g1eny0ung

Makes sense. I think both CDN and local resources have their advantages and disadvantages. Maybe I can specify options to decide whether to enable CDN or not?

SRI hashes, to ensure no malicious tampering has happened, are also omitted.

This is indeed missing, I will recheck and add to each remote resource. Thanks for pointing this! 🍻

I already did it in the branch; if you like I can open pull request, save you the work

EDIT: Nice, I prefer SHA-256 like you did; I only used sha-384 because it was the default.

Darthagnon avatar Jan 11 '22 14:01 Darthagnon

I already did it in the branch; if you like I can open pull request, save you the work

That would be great! Thx for your works.

EDIT: Nice, I prefer SHA-256 like you did; I only used sha-384 because it was the default.

Just copied from jsdelivr. 😝

g1eny0ung avatar Jan 12 '22 09:01 g1eny0ung

I believe this issue is solved in my active fork and here in the master; I'll close it here once I've double-checked.

Darthagnon avatar Jan 20 '23 15:01 Darthagnon