sphinx-doc / sphinx

The Sphinx documentation generator
https://www.sphinx-doc.org/
Other
6.53k stars 2.12k forks source link

Support <script integrity= crossorigin=> tags #12279

Open westurner opened 6 months ago

westurner commented 6 months ago

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Describe alternatives you've considered

Additional context

jayaddison commented 6 months ago

Hi @westurner - does the keyword-argument support in the add_js_file method provide the functionality that you're looking for here?

westurner commented 6 months ago

Almost, I think. Remaining:

jayaddison commented 6 months ago

Update sphinx dev process to update integrity= kwargs at {dev, build, release}-time

I don't think that sphinx should modify those itself if they're provided as arguments; that would conflict the reason for providing them - to ensure that the correct content is delivered to users. It would be OK for a project to provide either -- or both -- minified and non-minified variants, though, for example. The integrity HTML attribute can contain multiple same-algorithm-digests for the same resource, meaning that a choice of valid contents are considered valid at a point-in-time, and that would support the 'both' provision there.

When or how should sphinx's own add_js_files() SRI hash integrity= kwargs be updated?

I'm not completely certain what you mean by this; do you mean how would integrity values for the built-in theme CSS/JS files from Sphinx itself be generated?

westurner commented 6 months ago

On Sun, Apr 14, 2024, 4:53 PM James Addison @.***> wrote:

Update sphinx dev process to update integrity= kwargs at {dev, build, release}-time

I don't think that sphinx should modify those itself if they're provided as arguments; that would conflict the reason for providing them - to ensure that the correct content is delivered to users. It would be OK for a project to provide either -- or both -- minified and non-minified variants, though, for example. The integrity HTML attribute can contain multiple same-algorithm-digests for the same resource, meaning that a choice of valid contents are considered valid at a point-in-time, and that would support the 'both' provision there.

When or how should sphinx's own add_js_files() SRI hash integrity= kwargs be updated?

I'm not completely certain what you mean by this; do you mean how would integrity values for the built-in theme CSS/JS files from Sphinx itself be generated?

— Reply to this email directly, view it on GitHub https://github.com/sphinx-doc/sphinx/issues/12279#issuecomment-2054181387, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMNS7T2I4RP7KTZD4LQJTY5LUE5AVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJUGE4DCMZYG4 . You are receiving this because you were mentioned.Message ID: @.***>

jayaddison commented 6 months ago
  • support min.js variants - auto-hash the built in theme resources yeah - flag to build without any integrity= values for debugging

Could you describe some use-case(s) for disabling the integrity attribute? Even in development mode, it's valuable to know that code/scripts/stylesheets haven't been unexpectedly modified.

westurner commented 6 months ago

On Mon, Apr 15, 2024, 6:24 PM James Addison @.***> wrote:

  • support min.js variants - auto-hash the built in theme resources yeah - flag to build without any integrity= values for debugging

Could you describe some use-case(s) for disabling the integrity attribute? Even in development mode, it's valuable to know that code/scripts/stylesheets haven't been unexpectedly modified.

— Reply to this email directly, view it on GitHub https://github.com/sphinx-doc/sphinx/issues/12279#issuecomment-2057911997, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMNSZYQMGYJJ2VQVSDZHTY5RHRTAVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJXHEYTCOJZG4 . You are receiving this because you were mentioned.Message ID: @.***>

jayaddison commented 6 months ago
  • live on-disk modification of theme stylesheets (which DevTools works around just fine)

Given that the developer has local write access to the resources in that scenario, would it be acceptable to temporarily remove the HTML integrity attribute(s) for those resources until editing is completed?

westurner commented 6 months ago

Presumably that's what browsers do with "Local overrides" in DevTools.

IDK how necessary it is to optionally omit integrity= hashes for development and testing.

On Tue, Apr 16, 2024, 12:35 PM James Addison @.***> wrote:

  • live on-disk modification of theme stylesheets (which DevTools works around just fine)

Given that the developer has local write access to the resources in that scenario, would it be acceptable to temporarily remove the HTML integrity attribute(s) for those resources until editing is completed?

— Reply to this email directly, view it on GitHub https://github.com/sphinx-doc/sphinx/issues/12279#issuecomment-2059501339, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMNS4UQEWXBNE3AOG5VXLY5VHLJAVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJZGUYDCMZTHE . You are receiving this because you were mentioned.Message ID: @.***>