You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm working on a personal project and came across the SRI (Subresource Integrity) check subject.
After several minutes of configuring and testing my project, I discovered the issue shown in the image below:
As you can see, the script injected by Live Server does not have an integrity key configured.
If the developer chooses not to use SRI or CSP (Content Security Policy), Live Server will continue to work normally. However, when we configure CPS and SRI, this script injected by the tool will not be executed due to being considered as 'unsafe-inline,' which CPS identifies as a Cross-Site Scripting (XSS) weak point.
A possible solution could be to change the existing "<script>...</script>" tag to "<script integrity=''sha256-vvt4KWwuNr51XfE5m+hzeNEGhiOfZzG97ccfqGsPwvE=' crossorigin="self">...</script>" this might fix the issue. However, be aware that making changes to the script may have implications for this integrity key in the future (each code update the hash need to be calculated and updated too).
Alternatively, a setting option could be created to automatically concatenate the integrity key to the script tag. As developer, we could calculate these keys ourselves and insert them into the script tag by a setting "text box" field. That's more easy and takes less effort of maintenence, once that this setting only get usual on this CPS configuring scenario.
Thank you for the attention,
Best regards,
A. Leal.
The text was updated successfully, but these errors were encountered:
Hello everyone,
I'm working on a personal project and came across the SRI (Subresource Integrity) check subject.
After several minutes of configuring and testing my project, I discovered the issue shown in the image below:
As you can see, the script injected by Live Server does not have an integrity key configured.
If the developer chooses not to use SRI or CSP (Content Security Policy), Live Server will continue to work normally. However, when we configure CPS and SRI, this script injected by the tool will not be executed due to being considered as 'unsafe-inline,' which CPS identifies as a Cross-Site Scripting (XSS) weak point.
A possible solution could be to change the existing "<script>...</script>" tag to "<script integrity=''sha256-vvt4KWwuNr51XfE5m+hzeNEGhiOfZzG97ccfqGsPwvE=' crossorigin="self">...</script>" this might fix the issue. However, be aware that making changes to the script may have implications for this integrity key in the future (each code update the hash need to be calculated and updated too).
Alternatively, a setting option could be created to automatically concatenate the integrity key to the script tag. As developer, we could calculate these keys ourselves and insert them into the script tag by a setting "text box" field. That's more easy and takes less effort of maintenence, once that this setting only get usual on this CPS configuring scenario.
Thank you for the attention,
Best regards,
A. Leal.
The text was updated successfully, but these errors were encountered: