search

kindspells / astro-shield

Astro integration to enhance your website's security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques.
https://astro-shield.kindspells.dev
MIT License
57 stars 6 forks source link

Relative protocol notation not supported #82

Closed cedmax closed 2 months ago

cedmax commented 5 months ago

Resources referenced with a relative protocol (// notation, like the example below) lead to an error, as the library fails to recognise them as remote assets.

<script src="//cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/prism.min.js" is:inline></script>

leads to 

ENOENT: no such file or directory, open '/Users/username/Workspace/my-project/dist/cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/prism.min.js'

whilst ideally it should be treated like if it was

<script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/prism.min.js" is:inline></script>
castarco commented 2 months ago

Hi @cedmax , sorry for my late response. I'm not familiar with these URLs with "relative" protocol, is there any realistic & sensible use case that justifies using them over https?

As far as I know (from what I read this same evening), SEO experts and security experts are advising against it because of privacy and latency issues associated to it.

cedmax commented 2 months ago

To be fair I don't know if it's a recommended practice, but it's a valid notation for a remote file. If it's not supported I think it should at least be called out in the documentation 😊

cedmax commented 2 months ago

Please don't take these as the only examples, but there's plenty of articles like this which point to using cdn resources in this way

https://dy.dev/docs/implement-script

https://sansec.io/malware/cdn-sources.com

https://docs.totaljs.com/components/40d01001on51c/

castarco commented 2 months ago

@cedmax I hope it helps 😄 https://github.com/kindspells/astro-shield/releases/tag/1.4.0