Open westurner opened 6 months ago
Hi @westurner - does the keyword-argument support in the add_js_file
method provide the functionality that you're looking for here?
Almost, I think. Remaining:
add_js_files()
SRI hash integrity=
kwargs be updated?integrity=
kwargs at {dev, build, release}-timeintegrity=
hashes specifed and idk ignore_missing_sri_hashes = true
isn't set in conf.py?Update sphinx dev process to update
integrity=
kwargs at {dev, build, release}-time
I don't think that sphinx
should modify those itself if they're provided as arguments; that would conflict the reason for providing them - to ensure that the correct content is delivered to users. It would be OK for a project to provide either -- or both -- minified and non-minified variants, though, for example. The integrity
HTML attribute can contain multiple same-algorithm-digests for the same resource, meaning that a choice of valid contents are considered valid at a point-in-time, and that would support the 'both' provision there.
When or how should sphinx's own
add_js_files()
SRI hashintegrity=
kwargs be updated?
I'm not completely certain what you mean by this; do you mean how would integrity
values for the built-in theme CSS/JS files from Sphinx itself be generated?
On Sun, Apr 14, 2024, 4:53 PM James Addison @.***> wrote:
Update sphinx dev process to update integrity= kwargs at {dev, build, release}-time
I don't think that sphinx should modify those itself if they're provided as arguments; that would conflict the reason for providing them - to ensure that the correct content is delivered to users. It would be OK for a project to provide either -- or both -- minified and non-minified variants, though, for example. The integrity HTML attribute can contain multiple same-algorithm-digests for the same resource, meaning that a choice of valid contents are considered valid at a point-in-time, and that would support the 'both' provision there.
When or how should sphinx's own add_js_files() SRI hash integrity= kwargs be updated?
I'm not completely certain what you mean by this; do you mean how would integrity values for the built-in theme CSS/JS files from Sphinx itself be generated?
— Reply to this email directly, view it on GitHub https://github.com/sphinx-doc/sphinx/issues/12279#issuecomment-2054181387, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMNS7T2I4RP7KTZD4LQJTY5LUE5AVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJUGE4DCMZYG4 . You are receiving this because you were mentioned.Message ID: @.***>
- support min.js variants - auto-hash the built in theme resources yeah - flag to build without any integrity= values for debugging
Could you describe some use-case(s) for disabling the integrity
attribute? Even in development mode, it's valuable to know that code/scripts/stylesheets haven't been unexpectedly modified.
On Mon, Apr 15, 2024, 6:24 PM James Addison @.***> wrote:
- support min.js variants - auto-hash the built in theme resources yeah - flag to build without any integrity= values for debugging
Could you describe some use-case(s) for disabling the integrity attribute? Even in development mode, it's valuable to know that code/scripts/stylesheets haven't been unexpectedly modified.
— Reply to this email directly, view it on GitHub https://github.com/sphinx-doc/sphinx/issues/12279#issuecomment-2057911997, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMNSZYQMGYJJ2VQVSDZHTY5RHRTAVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJXHEYTCOJZG4 . You are receiving this because you were mentioned.Message ID: @.***>
- live on-disk modification of theme stylesheets (which DevTools works around just fine)
Given that the developer has local write access to the resources in that scenario, would it be acceptable to temporarily remove the HTML integrity
attribute(s) for those resources until editing is completed?
Presumably that's what browsers do with "Local overrides" in DevTools.
IDK how necessary it is to optionally omit integrity= hashes for development and testing.
On Tue, Apr 16, 2024, 12:35 PM James Addison @.***> wrote:
- live on-disk modification of theme stylesheets (which DevTools works around just fine)
Given that the developer has local write access to the resources in that scenario, would it be acceptable to temporarily remove the HTML integrity attribute(s) for those resources until editing is completed?
— Reply to this email directly, view it on GitHub https://github.com/sphinx-doc/sphinx/issues/12279#issuecomment-2059501339, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMNS4UQEWXBNE3AOG5VXLY5VHLJAVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJZGUYDCMZTHE . You are receiving this because you were mentioned.Message ID: @.***>
Is your feature request related to a problem? Please describe.
app.app_javascript()
<script>
tag with extra attributes that aren't yet supported byapp.add_javascript(pathurl)
is nowapp.add_js_file(pathurl)
:Describe the solution you'd like
[ ] ENH: sphinx.application.add_js_file,add_css_file,: add at least
integrity=
andcrossorigin=
kwargs to[ ] ENH,SEC: update all existing code with sri hashes
[ ] ENH: sphinx.builders.html.StandaloneHTMLBuilder,*HTMLBuilder: include
integrity=
SRI hashes for everything added withadd_js_file
andadd_css_file
[ ] DOC: Release Notes: ANN: We should all add
integrity=
andcrossorigin=
attrs to our<link>
and<script>
tags; here's how with Sphinx nowDescribe alternatives you've considered
<link>
and<script>
tags with SRI hashesAdditional context
"What are the integrity and crossorigin attributes?" https://stackoverflow.com/questions/32039568/what-are-the-integrity-and-crossorigin-attributes/49061277#49061277
SRI hash:
openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A