Oh, this is unexpected. When I do the change diffed below, I get: > Subresource Integrity: The resource > 'https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css' > has an integrity attribute, but the resource requires the request to be CORS > enabled to check the integrity, and it is not. The resource has been blocked > because the integrity cannot be enforced.
It looks like I need to drop the integrity attribute as well. Or, is there value in keeping both the integrity and crossorigin="anonymous", since (I'm assuming) that will provide some protection against the file being unexpectedly replaced with something else? > On Jun 24, 2020, at 9:41 AM, Roy Smith <r...@panix.com> wrote: > > Thank you for reminding me that fixing this has been on my list > <https://github.com/roysmith/spi-tools/issues/4> for a while. My CSP-fu is > weak. As I understand it, all I need do is: > > <!-- Bootstrap CSS --> > <link > rel="stylesheet" > - > href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css > <https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css>" > - > integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" > - crossorigin="anonymous"> > + > href="https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css > > <https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css>" > + > integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"> > > and similar changes for the other linked-to resources. Two specific > questions: > The integrity token is the same, no matter which mirror I get it from? > I can drop the crossorigin attribute since I'm not doing CORS any more? > >> On Jun 23, 2020, at 3:06 PM, MusikAnimal <musikani...@gmail.com >> <mailto:musikani...@gmail.com>> wrote: >> >> The Content Security Policy violations are report-only, if that's what >> you're referring to. Popper, Bootstrap, jQuery and Selectize are all >> available via https://cdnjs.toolforge.org/ <https://cdnjs.toolforge.org/> >> which will get around the CSP directive. For fonts you could try >> https://fontcdn.toolforge.org/ <https://fontcdn.toolforge.org/> >> >> ~ MA > > _______________________________________________ > Wikimedia Cloud Services mailing list > Cloud@lists.wikimedia.org (formerly lab...@lists.wikimedia.org) > https://lists.wikimedia.org/mailman/listinfo/cloud
_______________________________________________ Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly lab...@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud