As of today, when Astro-Shield detects a resource (<script>, <style>, <link rel="styleshet">) that cannot be "verified" for any reason, it just avoids adding the integrity attribute to it, and it also avoid adding its SRI hash to the CSP policy.
In general, that should suffice to protect the user from a potentially malicious resource, but it does not make sense to refer it in the HTML code if the browser will reject loading it anyway.
Given that removing code from the output can be confusing for some users, I suggest to introduce this behaviour under a flag, making it opt-in.
As of today, when Astro-Shield detects a resource (
<script>
,<style>
,<link rel="styleshet">
) that cannot be "verified" for any reason, it just avoids adding theintegrity
attribute to it, and it also avoid adding its SRI hash to the CSP policy.In general, that should suffice to protect the user from a potentially malicious resource, but it does not make sense to refer it in the HTML code if the browser will reject loading it anyway.
Given that removing code from the output can be confusing for some users, I suggest to introduce this behaviour under a flag, making it opt-in.