Oh, this is unexpected. When I do the change diffed below, I get:
Subresource Integrity: The resource
'https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css'
has an integrity attribute, but the resource requires the request to be CORS enabled to
check the integrity, and it is not. The resource has been blocked because the integrity
cannot be enforced.
It looks like I need to drop the integrity attribute as well. Or, is there value in
keeping both the integrity and crossorigin="anonymous", since (I'm assuming)
that will provide some protection against the file being unexpectedly replaced with
something else?
On Jun 24, 2020, at 9:41 AM, Roy Smith
<roy(a)panix.com> wrote:
Thank you for reminding me that fixing this has been on my list
<https://github.com/roysmith/spi-tools/issues/4> for a while. My CSP-fu is weak.
As I understand it, all I need do is:
<!-- Bootstrap CSS -->
<link
rel="stylesheet"
-
href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap…
<https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css>"
-
integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"
- crossorigin="anonymous">
+
href="https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstr…
<https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css>"
+
integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T">
and similar changes for the other linked-to resources. Two specific questions:
The integrity token is the same, no matter which mirror I get it from?
I can drop the crossorigin attribute since I'm not doing CORS any more?
On Jun 23, 2020, at 3:06 PM, MusikAnimal
<musikanimal(a)gmail.com <mailto:musikanimal@gmail.com>> wrote:
The Content Security Policy violations are report-only, if that's what you're
referring to. Popper, Bootstrap, jQuery and Selectize are all available via
https://cdnjs.toolforge.org/ <https://cdnjs.toolforge.org/> which will get around
the CSP directive. For fonts you could try
https://fontcdn.toolforge.org/
<https://fontcdn.toolforge.org/>
~ MA
_______________________________________________
Wikimedia Cloud Services mailing list
Cloud(a)lists.wikimedia.org (formerly labs-l(a)lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud