search

observablehq / framework

A static site generator for data apps, dashboards, reports, and more. Observable Framework combines JavaScript on the front-end for interactive graphics with any language on the back-end for data analysis.
https://observablehq.com/framework/
ISC License
2.22k stars 90 forks source link

Add subresource integrity hashes #306

Open Fil opened 7 months ago

Fil commented 7 months ago

We could add subresource integrity hashes to scripts (and stylesheets?).

Related:

mbostock commented 7 months ago

I had to turn this off because +esm isn’t compatible with sri; the contents can change. So this probably needs to be paired with #20 to download the modules themselves and thereby guarantee that they can’t change.

Fil commented 4 months ago

Does this even matter anymore since everything is now self-hosted? The scenario where an attackers hacks into the scripts is at the same threat level as an attacker hacks into the website.

mbostock commented 4 months ago

I think it’s a lot less important, certainly. I don’t know if there’s a compelling use case if everything is self-hosted, but we could in theory still support it.