security: add SRI hash to Redoc CDN script tag#43
Open
dmchaledev wants to merge 1 commit into
Open
Conversation
The public-facing docs page loads redoc.standalone.js from jsdelivr with no subresource integrity check. Pinning the version alone doesn't protect against a compromised CDN or MITM serving different bytes under the same URL; the browser needs a hash to verify. Added a sha384 integrity attribute (verified against jsdelivr's own published hash for redoc@2.5.3) plus crossorigin="anonymous", which SRI requires for cross-origin script loads. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015FbybmH3LzX8CbuzGtqUAK
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/index.htmlloads Redoc from jsdelivr (https://cdn.jsdelivr.net/npm/redoc@2.5.3/bundles/redoc.standalone.js) with no Subresource Integrity (SRI) check.sha384integrityattribute pluscrossorigin="anonymous"(required by the SRI spec for cross-origin script loads) to the Redoc<script>tag.The hash was independently computed from the fetched file (
openssl dgst -sha384) and cross-checked against jsdelivr's own published SHA-256 hash forredoc@2.5.3/bundles/redoc.standalone.jsviahttps://data.jsdelivr.com/v1/packages/npm/redoc@2.5.3— both match the file currently served.Test plan
hailbytes.github.io/hailbytes-api-docs) still renders both the ASM and SAT specs correctly (SRI mismatches fail closed and would blank the page)🤖 Generated with Claude Code
https://claude.ai/code/session_015FbybmH3LzX8CbuzGtqUAK
Generated by Claude Code