Commit 37a18db
committed
csp: replace 'https://unpkg.com' origin with per-script SRI hashes
Previous CSP listed https://unpkg.com in script-src / style-src,
which allows ANY script served from unpkg. That trusts the CDN more
than we want — if unpkg were compromised and served a different
marked/highlight bundle, the origin allowlist would let it through
and we'd rely solely on SRI to catch it.
Pull the sha384 hashes already computed during the SRI pass off the
rendered <script src> / <link rel=stylesheet href> tags and emit them
as CSP allowlist entries. Two layers of byte-matching:
1. CSP refuses to load a script whose hash isn't allowlisted.
2. SRI refuses to execute a loaded script whose hash doesn't match.
Same-origin tags don't need explicit CSP hashes (covered by 'self' +
their own SRI attribute). CSP hash-matching is cross-origin-only.1 parent a1bdea2 commit 37a18db
1 file changed
Lines changed: 29 additions & 10 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
173 | 173 | | |
174 | 174 | | |
175 | 175 | | |
176 | | - | |
| 176 | + | |
177 | 177 | | |
178 | 178 | | |
179 | 179 | | |
180 | | - | |
| 180 | + | |
181 | 181 | | |
182 | 182 | | |
183 | | - | |
184 | | - | |
185 | 183 | | |
186 | | - | |
| 184 | + | |
187 | 185 | | |
188 | | - | |
189 | | - | |
190 | | - | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
191 | 210 | | |
192 | 211 | | |
193 | 212 | | |
194 | 213 | | |
195 | 214 | | |
196 | 215 | | |
197 | 216 | | |
198 | | - | |
199 | | - | |
| 217 | + | |
| 218 | + | |
200 | 219 | | |
201 | 220 | | |
202 | 221 | | |
| |||
0 commit comments