New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support <script integrity= crossorigin=> tags #12279
Comments
Hi @westurner - does the keyword-argument support in the |
Almost, I think. Remaining:
|
I don't think that
I'm not completely certain what you mean by this; do you mean how would |
- support min.js variants
- auto-hash the built in theme resources yeah
- flag to build without any integrity= values for debugging
…On Sun, Apr 14, 2024, 4:53 PM James Addison ***@***.***> wrote:
Update sphinx dev process to update integrity= kwargs at {dev, build,
release}-time
I don't think that sphinx should modify those itself if they're provided
as arguments; that would conflict the reason for providing them - to ensure
that the correct content is delivered to users. It would be OK for a
project to provide either -- or both -- minified and non-minified variants,
though, for example. The integrity HTML attribute can contain multiple
same-algorithm-digests for the same resource, meaning that a choice of
valid contents are considered valid at a point-in-time, and that would
support the 'both' provision there.
When or how should sphinx's own add_js_files() SRI hash integrity= kwargs
be updated?
I'm not completely certain what you mean by this; do you mean how would
integrity values for the built-in theme CSS/JS files from Sphinx itself
be generated?
—
Reply to this email directly, view it on GitHub
<#12279 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAMNS7T2I4RP7KTZD4LQJTY5LUE5AVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJUGE4DCMZYG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Could you describe some use-case(s) for disabling the |
- live on-disk modification of theme stylesheets (which DevTools works
around just fine)
…On Mon, Apr 15, 2024, 6:24 PM James Addison ***@***.***> wrote:
- support min.js variants - auto-hash the built in theme resources
yeah - flag to build without any integrity= values for debugging
Could you describe some use-case(s) for disabling the integrity
attribute? Even in development mode, it's valuable to know that
code/scripts/stylesheets haven't been unexpectedly modified.
—
Reply to this email directly, view it on GitHub
<#12279 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAMNSZYQMGYJJ2VQVSDZHTY5RHRTAVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJXHEYTCOJZG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Given that the developer has local write access to the resources in that scenario, would it be acceptable to temporarily remove the HTML |
Presumably that's what browsers do with "Local overrides" in DevTools.
IDK how necessary it is to optionally omit integrity= hashes for
development and testing.
…On Tue, Apr 16, 2024, 12:35 PM James Addison ***@***.***> wrote:
- live on-disk modification of theme stylesheets (which DevTools works
around just fine)
Given that the developer has local write access to the resources in that
scenario, would it be acceptable to temporarily remove the HTML integrity
attribute(s) for those resources until editing is completed?
—
Reply to this email directly, view it on GitHub
<#12279 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAMNS4UQEWXBNE3AOG5VXLY5VHLJAVCNFSM6AAAAABGGIED2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJZGUYDCMZTHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Is your feature request related to a problem? Please describe.
app.app_javascript()
<script>
tag with extra attributes that aren't yet supported byapp.add_javascript(pathurl)
is nowapp.add_js_file(pathurl)
:Describe the solution you'd like
ENH: sphinx.application.add_js_file,add_css_file,: add at least
integrity=
andcrossorigin=
kwargs tosphinx/sphinx/application.py
Line 966 in e352a67
ENH,SEC: update all existing code with sri hashes
ENH: sphinx.builders.html.StandaloneHTMLBuilder,*HTMLBuilder: include
integrity=
SRI hashes for everything added withadd_js_file
andadd_css_file
sphinx/sphinx/builders/html/__init__.py
Line 341 in e352a67
DOC: Release Notes: ANN: We should all add
integrity=
andcrossorigin=
attrs to our<link>
and<script>
tags; here's how with Sphinx nowDescribe alternatives you've considered
<link>
and<script>
tags with SRI hashesAdditional context
"What are the integrity and crossorigin attributes?"
https://stackoverflow.com/questions/32039568/what-are-the-integrity-and-crossorigin-attributes/49061277#49061277
SRI hash:
openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A
The text was updated successfully, but these errors were encountered: