EWAB should automatically detect any scripts and styles that are included in a document, and produce integrity hashes for them.
If the scripts are inline, their hashes will need to be served in HTTP CSP headers, and since EWAB doesn't handle headers, the best it can do is output the hashes in a standardized format that the developer can then plug into the server.
This is not just an added security feature. EWAB uses custom elements with inline styles for several UI components, and that means you have to set unsafe-inline in the CSP header to make the components work :( Using EWAB shouldn't require you to downgrade security.
atjn
commented
2 years ago
EWAB should automatically detect any scripts and styles that are included in a document, and produce
integrityhashes for them.If the scripts are inline, their hashes will need to be served in HTTP CSP headers, and since EWAB doesn't handle headers, the best it can do is output the hashes in a standardized format that the developer can then plug into the server.
This is not just an added security feature. EWAB uses custom elements with inline styles for several UI components, and that means you have to set
unsafe-inlinein the CSP header to make the components work :( Using EWAB shouldn't require you to downgrade security.