Use subresource integrity on all third-party content

openml / OpenML

Open Machine Learning

https://openml.org

BSD 3-Clause "New" or "Revised" License

658 stars 91 forks source link

Use subresource integrity on all third-party content #879

Open KOLANICH opened 5 years ago

KOLANICH commented 5 years ago

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

nok commented 5 years ago

<script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>

That could be integrated in a build process of https://github.com/openml/openml.org/ ? They use Webpack and Bower.

A small overview of the CDN requests:

KOLANICH commented 5 years ago

https://github.com/waysact/webpack-subresource-integrity/ (I have googled it, have not used it anyhow) may be helpful, though I have not audited it, and before using it we surely need it audited.