Add subresource integrity checking to our user-tracking script #506
Conversation
If we're going to track users we should at least ensure that the script which does so is what we're expecting. The value here is derived from a manual check of the current version of the file. I couldn't find anything on Plausible's website about this, so I'm just guessing that this is ok to do. Ideally it feels like we should pin the version of the library we're pulling in, however I couldn't find anything on how to do that either.
There was a problem hiding this comment.
This will silently break functionality if the script is changed upstream (which definitely happens as the Plausible application is deployed).
SRI isn't something officially supported, but there are discussions about it: plausible/analytics#380
|
Hrm, I did suspect that that failure mode might be the case. Really not a fan of their approach that it's too hard to actually version it, especially given that they do already offer an NPM package which itself is already (and must be) versioned! Perhaps we should pull in the NPM package instead? We could fetch that via https://www.jsdelivr.com/ perhaps or maybe even move towards building the site ourselves (at which point we have more freedom for other things anyway). |
If we're going to track users we should at least ensure that the script which does so is what we're expecting. The value here is derived from a manual check of the current version of the file.
I couldn't find anything on Plausible's website about this, so I'm just guessing that this is ok to do. Ideally it feels like we should pin the version of the library we're pulling in, however I couldn't find anything on how to do that either.