adding sri modal to codeorigin #391
Conversation
|
Looks good to me |
|
LGTM but I'll defer to @scottgonzalez who has been following this more closely and knows the setup better. |
|
Do we want to have a page with hashes for all past versions for people that can't yet download the newest one? |
The hashes are already computed for every version. I've also suggested that we expose https://code.jquery.com/resources/sri-directives.json in jquery/codeorigin.jquery.com#22 (comment) |
Where are they kept?
Since the goal of the SRI is to prevent injecting a rogue script in case of a CDN poisoning, putting a file listing the hashes on this very CDN doesn't sound like the best option. |
Umm...they're generated on deploy for the CDN. I'm getting the feeling you haven't looked at the related PR.
And the values that every user will insert into their scripts comes directly from the CDN. I'm not sure where else these would be listed. |
Yeah, sorry, I see it now.
Those values are needed only for developers, end users don't download them. Hence, the CDN is not necessary for that, they may as well be kept somewhere on our sites, i.e. places that are separate from CDNs. We'd have to first switch our sites to HTTPS-only, though. |
I'm really not sure what setup you have in mind. It would certainly require whatever other random site you choose to have the CDN as a dependency for getting the hashes. |
Only for past releases; new ones are generated offline, on a computer of the person doing the release. |
I'm not sure how you got that impression. The hash will always be generated by the production build server during deploy. Perhaps you can explain why you think this would not be the case based on the other PR. |
|
I think the scenario that the SRI integrity hash is addressing is this one:
If someone hacks That's why I'm hesitant to fix the map reference in the minified jQuery 1.9.1 file by editing it. Anyone using SRI or keeping their own hashes would notice that the file has been changed two years after it was put on the CDN. |
| // attach custom header and footer tags | ||
| function header_append() { | ||
| echo ' | ||
| <link rel="stylesheet" href="' . get_template_directory_uri() . '/css/font-awesome.css" /> |
There was a problem hiding this comment.
Font Awesome is already loaded on the page.
There was a problem hiding this comment.
I saw it in the themes/jquery/css directory, but not included. I'l drop this out.
|
@scottgonzalez Thanks for the feedback, comments. I'll address / answer shortly. Dealing with some other fires elsewhere at the moment. |
|
@scottgonzalez I've addressed some of the low hangers. I'll get back to the rest shortly. I didn't work up the client side js/css, and have asked @jdorfman to review those parts, he or I will start addressing those parts next. Cheers! PS: I will most certainly squash commits once all comments have been address. :) |
|
we close @scottgonzalez ? |
|
@scottgonzalez I believe I've addressed all open comments aside from https://github.com/jquery/jquery-wp-content/pull/391/files#r52310552, which is pending comments. Let me know if I missed anything. Cheers! cc: @jdorfman |
| <span>crossorigin="anonymous"></script></span> | ||
| </code> | ||
|
|
||
| <button class="sri-modal-copy-btn" |
There was a problem hiding this comment.
This button should start with a title and have the tooltip initialized so that the feature is discoverable.
|
@scottgonzalez All outstanding comments have been addressed as far as I can tell. Let me know if I missed anything or if there's anything else. Cheers! |
|
Let's |
|
It's finally live :-) Thanks for all the work. |
|
@scottgonzalez awesome! Thank you =) |
Hello!
Per the discussions on gh:jquery/codeorigin.jquery.com#20 I'm adding the SRI modal as an onclick popin for each cdn file link. This is in direct support of gh:jquery/codeorigin.jquery.com#22. I've attached a screenshot of the result here:
Notes:
styleandscripttags in the correct location. I attempted to usewp_enqueue_scriptandwp_enqueue_stylerespectively, without success. I'm new to Wordpress, so I may have been doing something incorrectly. Any direction here would be appreciated.cssandjsfiles includes were added as is from their sources.Thanks and cheers!
J
(cc @jdorfman @scottgonzalez)