Adding subresource hashes to CDN links. #17729
+6
−3
3 participants
_config.yml
| @@ -28,5 +28,8 @@ expo: http://expo.getbootstrap.com | ||
| cdn: | ||
| css: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css | ||
| + css_hash: sha384-pdapHxIh7EYuwy6K7iE41uXVxGCXY0sAjBzaElYGJUrzwodck3Lx6IE2lA0rFREo |
|
Should probably include a comment here saying how to generate the hash I used https://srihash.org , instructions are also on that page.
cat FILENAME.js |
openssl dgst -sha384 -binary |
openssl enc -base64 -A
For porting to 4, it might be best to make this apart of building the documentation (if possible).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
|
Shouldn't this be applied for jQuery loaded from Google's CDN?
It can be applied to CSS or JS resources. There is no harm in applying it all over. Unless you're afraid the hash will fail and cause page errors, but you're already trusting a third party to serve code to you.
--
Chris Barry
…
Merged. Thanks!
Also updated the relevant page of the hosted docs: http://getbootstrap.com/getting-started/#download-cdn
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Firefox 43 and Chrome 45 there will be support for Subresource Integrity (SRI). More information here: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity