SRI for widgets

[edent]

The widgets page encourages people to use JavaScript without using subResource Integrity:

For example: <script src="https://liberapay.com/edent/widgets/button.js"></script>

SRI is an important step in securing the web - see https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

In this case, the docs should encourage people to use:

<script
type="text/javascript"
src="https://liberapay.com/edent/widgets/button.js"
identity="sha384-0Hy0gDXUnLzeYlKXpAtsF52WI6k2VdA4xkAdIyYKjqpJrdSkrHtzT675rxk/dWxv"

[Changaco]

We can't do that, the buttons aren't immutable, they're not even static files.

[mania-rix]

To fix the SRI for widgets on Liberapay.com, follow these steps:

1- Generate the hash for the widget resource using a hash generator tool. For example, you can use the online tool available at https://www.srihash.org/ or the command-line tool openssl.

2- Copy the generated hash value.

3- In the HTML code for the widget, add the integrity attribute and set its value to the hash you generated in step 1. For example:

<script src="https://example.com/widget.js"
        integrity="sha256-uX9t9aaWnTgGtT4f3qAC7KrLJzE0ZAJ+jG2zUxX9/Xg="
        crossorigin="anonymous"></script>

4- Verify that the hash value matches the hash of the widget resource on your server. You can use the openssl command-line tool to compute the hash of the resource, and compare it to the hash value you generated in step 1.

5- Repeat steps 1-4 for each widget resource that you want to protect with SRI.

By adding SRI to widget resources, you can help protect your site from certain types of attacks, such as cross-site scripting (XSS) and man-in-the-middle (MITM) attacks.