Subresource Integrity
Auditeddafb55ce332b
Actions

Description

Subresource Integrity

Summary:
SRI is a new specification allowing to associate a hash to a resource file.

This allows to trust external CDNs to serve the exact file we computed the hash.
If not, for example because of a MITM attack, browser will block the resource.

Side edit: ' → " as HTML attributes delimiters.

Test Plan: Visit pages and check each resources are correcty loaded.

Reviewers: dereckson

Tags: security

Differential Revision: http://devcentral.nasqueron.org/D451

Details

Auditors

dereckson

Provenance

dereckson

Authored on Jul 2 2016, 15:34

Differential Revision

D451: Subresource Integrity

Parents

rGROVE16ace564ac0b: Allow to customize /auth route

Branches

Unknown

Tags

Unknown

Event Timeline

dereckson committed rGROVEdafb55ce332b: Subresource Integrity (authored by dereckson).Jul 2 2016, 15:34

dereckson raised a concern with this commit.Jul 3 2016, 00:06

dereckson added inline comments.

/resources/views/app.blade.php

Font stylesheet is optimized to target system:

lang=diff,name diff between wget (-) and Chrome (+)
-  src: local('Roboto'), local('Roboto-Regular'), url(https://fonts.gstatic.com/s/roboto/v15/zN7GBFwfMP4uA6AR0HCoLQ.ttf) format('truetype');
+  src: local('Roboto'), local('Roboto-Regular'), url(https://fonts.gstatic.com/s/roboto/v15/CWB0XYA8bzo0kSThX0UTuA.woff2) format('woff2');
+  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;

dereckson mentioned this in D456: Disable SRI for Google Fonts.Jul 3 2016, 00:12

dereckson mentioned this in rGROVE1d7d101fa29b: Disable SRI for Google Fonts.Jul 3 2016, 00:13