- Issue created by @douggreen
- Merge request !4#3447473: Add SRI crossorigin and integrity config option β (Open) created by douggreen
- Status changed to Needs review
8 months ago 12:00pm 16 May 2024 Thank you for taking the time and effort to implement SubResource Integrity on the Crazy Egg script as a user option within Drupal. While we don't see anything incorrect or dangerous with your work due to the structure of Crazy Egg's Javascript it won't work as expected. The user-specific URL that you protected with Drupal is only one (very small) loader script. This loader script then goes on to load other Javascript files. These other Javascript files make up the bulk of the Crazy Egg code that executes on the page.
So while your change would protect the initial script, it wouldn't protect the site from changes to all the other Javascript files. Our concern is that it would provide a false sense of security. At this point we don't plan to add SRI for the other scripts. We offer self-hosting and version locking for customers instead.
- Status changed to Postponed
7 months ago 4:30pm 29 May 2024 - Status changed to Closed: won't fix
3 months ago 6:25pm 2 October 2024 - πΊπΈUnited States douggreen Winchester, VA
Closing, ... I ran into the same issue. We've decided to not pursue SRI for external JS provided by reliable 3rd parties such as yourself. While there is a security concern, it's impossible for us to keep up with 3rd party libraries which might change. This really is the responsibility of those 3rd party libraries, such as crazyegg, to provide SRI's.