search

kindspells / astro-shield

Astro integration to enhance your website's security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques.
https://astro-shield.kindspells.dev
MIT License
42 stars 0 forks source link

Allow deleting script/style/link elements when they cannot be marked with the `integrity` attribute #52

Closed castarco closed 5 months ago

castarco commented 5 months ago

As of today, when Astro-Shield detects a resource (<script>, <style>, <link rel="styleshet">) that cannot be "verified" for any reason, it just avoids adding the integrity attribute to it, and it also avoid adding its SRI hash to the CSP policy.

In general, that should suffice to protect the user from a potentially malicious resource, but it does not make sense to refer it in the HTML code if the browser will reject loading it anyway.

Given that removing code from the output can be confusing for some users, I suggest to introduce this behaviour under a flag, making it opt-in.

castarco commented 5 months ago

In the end, we implemented this as a default behaviour for security reasons. Fixed in #59 .