Closed fulldecent closed 6 years ago
Be careful about removing [uikit-version]
in the paths. When they bump the version, it won't be updated.
That is correct, it will not be updated because the integrity information is not in https://getuikit.com/assets/uikit/package.json
I have reported an issue upstream to change the specification for package.json files https://github.com/npm/npm/issues/17343
Even that will not neatly handle the problem because uikit uses multiple js files.
Also I have made a PR towards a long term solution here https://github.com/uikit/uikit/pull/2733 but that only handles the JS link.
Overall, it will be an ugly hack to shove all this extra information (integrity for uikit-icons.min.js) into the package.json format. Since CORS/SRI is important in a post-Snowden world, I recommend that documentation be manually updated to include integrity information for each version release.
Please confirm if CORS/security is in scope for this project and if a solution will be merged if found.
Ok, the easier part is distilled into #94. That is ready to go and is less controversial.
I have reviewed further upstream with NPM and do not see a solution there forthcoming. That was probably a stupid idea. There is also an API with cloudflare at https://api.cdnjs.com/libraries/uikit but that likewise does not have SRI.
The issue remains. UIKit recommends web designers access CDN without SRI. Best practice dictates SRI.
If this project prefers the convenience of automatic updating URLs over the security of SRI then this PR can be closed.
Thanks, I've added a note on where to obtain the SRI hashes from CDNJS. Is that sufficient?
4b473ce6365838f4e1569d6cbb788de025b637e8
Fair enough, thank you!
Sorry, I know that there previously was a nice automatic variable and this new method will require maintenance.
But this version has SRI/CORS which is now best practice for web development.