framework icon indicating copy to clipboard operation
framework copied to clipboard

Published 20 hours ago verified publisher icon observablehq

Add subresource integrity hashes

Open Fil opened this issue 1 year ago • 3 comments

We could add subresource integrity hashes to scripts (and stylesheets?).

Related:

  • #20
  • #303

Fil avatar Dec 04 '23 10:12 Fil

I had to turn this off because +esm isn’t compatible with sri; the contents can change. So this probably needs to be paired with #20 to download the modules themselves and thereby guarantee that they can’t change.

mbostock avatar Dec 06 '23 03:12 mbostock

Does this even matter anymore since everything is now self-hosted? The scenario where an attackers hacks into the scripts is at the same threat level as an attacker hacks into the website.

Fil avatar Mar 23 '24 16:03 Fil

I think it’s a lot less important, certainly. I don’t know if there’s a compelling use case if everything is self-hosted, but we could in theory still support it.

mbostock avatar Mar 23 '24 17:03 mbostock