Open edent opened 5 years ago
Related: #10707
Also worth noting that devicepx may go away in the future: https://github.com/Automattic/jetpack/pull/10189#issuecomment-424406791
This issue has been marked as stale. This happened because:
No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.
Is your feature request related to a problem? Please describe.
The file
devicepx-jetpack.js
should be loaded with SubResource Integrity.Describe the solution you'd like
Describe alternatives you've considered
SRI is well supported in major browsers and has no negative impact on legacy browsers.
Adding SRI means that if the CDN is compromised, or the code is maliciously altered, browsers will not execute it.
Additional context
As per #10027, the CDN supports CORS.