Oh, this is unexpected. When I do the change diffed below, I get:
It looks like I need to drop the integrity attribute as well. Or, is there value in keeping both the integrity and crossorigin="anonymous", since (I'm assuming) that will provide some protection against the file being unexpectedly replaced with something else?
Thank you for reminding me that fixing this
has been on my list for a while. My CSP-fu is weak. As I understand it, all I need do is:
<!-- Bootstrap CSS -->
<link
rel="stylesheet"
- integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"
- crossorigin="anonymous">
+ integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T">
and similar changes for the other linked-to resources. Two specific questions:
- The integrity token is the same, no matter which mirror I get it from?
- I can drop the crossorigin attribute since I'm not doing CORS any more?
_______________________________________________
Wikimedia Cloud Services mailing list
Cloud@lists.wikimedia.org (formerly
labs-l@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud