I wouldn't think you'd need any additional attributes. Just something like:
<link rel="stylesheet" type="text/css" href="
">
This is how I do it in my tools.
~ MA
On Wed, Jun 24, 2020 at 10:15 AM Roy Smith <roy(a)panix.com> wrote:
Oh, this is unexpected. When I do the change diffed
below, I get:
Subresource Integrity: The resource '
https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/cs…
has an integrity attribute, but the resource requires the request to be
CORS enabled to check the integrity, and it is not. The resource has been
blocked because the integrity cannot be enforced.
It looks like I need to drop the integrity attribute as well. Or, is
there value in keeping both the integrity and crossorigin="anonymous",
since (I'm assuming) that will provide some protection against the file
being unexpectedly replaced with something else?
On Jun 24, 2020, at 9:41 AM, Roy Smith <roy(a)panix.com> wrote:
Thank you for reminding me that fixing this has been on my list
<https://github.com/roysmith/spi-tools/issues/4> for a while. My CSP-fu
is weak. As I understand it, all I need do is:
<!-- Bootstrap CSS -->
<link
rel="stylesheet"
- href="
https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css&qu…
-
integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"
- crossorigin="anonymous">
+ href="
https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/cs…
"
+
integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T">
and similar changes for the other linked-to resources. Two specific
questions:
- The integrity token is the same, no matter which mirror I get it
from?
- I can drop the crossorigin attribute since I'm not doing CORS any
more?
On Jun 23, 2020, at 3:06 PM, MusikAnimal <musikanimal(a)gmail.com> wrote:
The Content Security Policy violations are report-only, if that's what
you're referring to. Popper, Bootstrap, jQuery and Selectize are all
available via
https://cdnjs.toolforge.org/ which will get around the CSP
directive. For fonts you could try
https://fontcdn.toolforge.org/
~ MA
_______________________________________________
Wikimedia Cloud Services mailing list
Cloud(a)lists.wikimedia.org (formerly labs-l(a)lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud