Honestly, I don't see any downsides to just keeping the attributes. Integrity validation is a valid defense and if it's blocked for some reason that should be fixed on our side.

YiFei Zhu

On Wed, Jun 24, 2020, 10:11 MusikAnimal <musikanimal@gmail.com> wrote:

I wouldn't think you'd need any additional attributes. Just something like:

<link rel="stylesheet" type="text/css" href="https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css">

This is how I do it in my tools.

~ MA

On Wed, Jun 24, 2020 at 10:15 AM Roy Smith <roy@panix.com> wrote:
Oh, this is unexpected. When I do the change diffed below, I get:

Subresource Integrity: The resource 'https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has been blocked because the integrity cannot be enforced.

It looks like I need to drop the integrity attribute as well. Or, is there value in keeping both the integrity and crossorigin="anonymous", since (I'm assuming) that will provide some protection against the file being unexpectedly replaced with something else?

On Jun 24, 2020, at 9:41 AM, Roy Smith <roy@panix.com> wrote:

Thank you for reminding me that fixing this has been on my list for a while. My CSP-fu is weak. As I understand it, all I need do is:


<link
rel="stylesheet"
- href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"
- integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"
- crossorigin="anonymous">
+ href="https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css"
+ integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T">

and similar changes for the other linked-to resources. Two specific questions:
The integrity token is the same, no matter which mirror I get it from?
I can drop the crossorigin attribute since I'm not doing CORS any more?

On Jun 23, 2020, at 3:06 PM, MusikAnimal <musikanimal@gmail.com> wrote:

The Content Security Policy violations are report-only, if that's what you're referring to. Popper, Bootstrap, jQuery and Selectize are all available via https://cdnjs.toolforge.org/ which will get around the CSP directive. For fonts you could try https://fontcdn.toolforge.org/

~ MA

_______________________________________________
Wikimedia Cloud Services mailing list
Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud

_______________________________________________
Wikimedia Cloud Services mailing list
Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud