On Wed, Jun 24, 2020 at 8:15 AM Roy Smith <r...@panix.com> wrote: > > Oh, this is unexpected. When I do the change diffed below, I get: > > Subresource Integrity: The resource > 'https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css' > has an integrity attribute, but the resource requires the request to be CORS > enabled to check the integrity, and it is not. The resource has been blocked > because the integrity cannot be enforced. > > > It looks like I need to drop the integrity attribute as well. Or, is there > value in keeping both the integrity and crossorigin="anonymous", since (I'm > assuming) that will provide some protection against the file being > unexpectedly replaced with something else?
The integrity hash is a nice thing to have for defense in depth against some MITM attack against the proxy or malicious content injection at the upstream source. I would guess that the hash change is due to some non-repeatable build issue in the css compression used by the two different CDN archives. You can find the published hash for the CDNJS file using the upstream interface at <https://cdnjs.com/libraries/twitter-bootstrap>. Alternately, you can download the file through the proxy, review it to convince yourself that the file is attack free, and compute the sha256 or sha384 hash locally. I would also recommend keeping the crossorigin="anonymous" attribute. The Cloud Services proxy is privacy respecting, but again this is a defense in depth protection against any possible rogue activity at that proxy. Bryan -- Bryan Davis Technical Engagement Wikimedia Foundation Principal Software Engineer Boise, ID USA [[m:User:BDavis_(WMF)]] irc: bd808 _______________________________________________ Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly lab...@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud
