Created on 15 May 2024, 8 months ago

To better secure external JS, modern browsers support SRI hash attributes that should be added to

tags. I propose a new config option, that if set, will calculate the accounts sha384 SRI hash, store this in config, and add it as a SCRIPT attribute when available. The admin can disable it by unchecking the box or recalculate it by unchecking and then checking.
✨ Feature request
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States douggreen Winchester, VA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @douggreen
  • Status changed to Needs review 8 months ago
  • πŸ‡ΊπŸ‡ΈUnited States douggreen Winchester, VA
  • πŸ‡ΊπŸ‡ΈUnited States douggreen Winchester, VA
  • Thank you for taking the time and effort to implement SubResource Integrity on the Crazy Egg script as a user option within Drupal. While we don't see anything incorrect or dangerous with your work due to the structure of Crazy Egg's Javascript it won't work as expected. The user-specific URL that you protected with Drupal is only one (very small) loader script. This loader script then goes on to load other Javascript files. These other Javascript files make up the bulk of the Crazy Egg code that executes on the page.

    So while your change would protect the initial script, it wouldn't protect the site from changes to all the other Javascript files. Our concern is that it would provide a false sense of security. At this point we don't plan to add SRI for the other scripts. We offer self-hosting and version locking for customers instead.

  • Status changed to Postponed 7 months ago
  • Status changed to Closed: won't fix 3 months ago
  • πŸ‡ΊπŸ‡ΈUnited States douggreen Winchester, VA

    Closing, ... I ran into the same issue. We've decided to not pursue SRI for external JS provided by reliable 3rd parties such as yourself. While there is a security concern, it's impossible for us to keep up with 3rd party libraries which might change. This really is the responsibility of those 3rd party libraries, such as crazyegg, to provide SRI's.

Production build 0.71.5 2024