EWAB should automatically detect any scripts and styles that are included in a document, and produce integrity hashes for them.
If the scripts are inline, their hashes will need to be served in HTTP CSP headers, and since EWAB doesn't handle headers, the best it can do is output the hashes in a standardized format that the developer can then plug into the server.
This is not just an added security feature. EWAB uses custom elements with inline styles for several UI components, and that means you have to set unsafe-inline in the CSP header to make the components work :( Using EWAB shouldn't require you to downgrade security.
EWAB should automatically detect any scripts and styles that are included in a document, and produce
integrity
hashes for them.If the scripts are inline, their hashes will need to be served in HTTP CSP headers, and since EWAB doesn't handle headers, the best it can do is output the hashes in a standardized format that the developer can then plug into the server.
This is not just an added security feature. EWAB uses custom elements with inline styles for several UI components, and that means you have to set
unsafe-inline
in the CSP header to make the components work :( Using EWAB shouldn't require you to downgrade security.