From 20da7492379d2b531de6ed164fd4da2e5725c515 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 14 Jul 2026 11:38:47 +0000 Subject: [PATCH] Add Subresource Integrity hash to Redoc CDN script MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The docs page loads redoc.standalone.js from jsDelivr with no SRI check, so a compromised or tampered CDN response would execute arbitrary JS on the API reference page — including inside Redoc's "Try it" console where users paste live API keys. Pin the script with a sha384 integrity hash (verified against jsDelivr's own published file hash for redoc@2.5.3) so the browser refuses to run the script if the served bytes ever differ. Co-Authored-By: Claude Sonnet 5 Claude-Session: https://claude.ai/code/session_01Ln27LeJd3LfFBkUaCQL6Er --- docs/index.html | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/index.html b/docs/index.html index 66ce922..8585fd0 100644 --- a/docs/index.html +++ b/docs/index.html @@ -39,7 +39,11 @@
- +