Missing subresource integrity checking for Font Awesome JS #1920

Kristaba · 2018-10-29T21:01:05Z

It seems that the Font Awesome's javascript code is served by their CDN by default.
I am not too much used to web development, but I believe the subresource integrity checking should be used in such case.

minimal-mistakes/_includes/scripts.html

Line 12 in f4cfc87

The hash of each version of Font Awesome files is available in their website.
So the current line should be replaced by something like:

<script src="https://use.fontawesome.com/releases/v5.3.1/js/all.js" integrity="sha384-kW+oWsYx3YpxvjtZjFXqazFpA7UP/MbiY4jvs+RWZo2+N94PFZ36T6TFkc9O3qoB"></script>

mmistakes · 2018-10-29T22:43:17Z

Care to submit a pull request with the integrity value added?

Impact: - Increase the border radius of inline code and `<kbd>` tags - Variable `$base-radius` renamed to `$radius-lg`

mmistakes added Type: Enhancement Status: Accepted labels Oct 29, 2018

Kristaba mentioned this issue Oct 30, 2018

add integrity hash for Font Awesome script #1922

Merged

mmistakes closed this as completed Nov 13, 2018

okitem pushed a commit to okmalls/okmalls.github.io that referenced this issue Sep 21, 2024

refactor(ui): standardize the border radius (mmistakes#1920)

31e19c6

Impact: - Increase the border radius of inline code and `<kbd>` tags - Variable `$base-radius` renamed to `$radius-lg`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing subresource integrity checking for Font Awesome JS #1920

Missing subresource integrity checking for Font Awesome JS #1920

Kristaba commented Oct 29, 2018

mmistakes commented Oct 29, 2018

Missing subresource integrity checking for Font Awesome JS #1920

Missing subresource integrity checking for Font Awesome JS #1920

Comments

Kristaba commented Oct 29, 2018

mmistakes commented Oct 29, 2018