Currently, project settings endpoint returns the template to load, for instance :
"template": {
"name": "vertical_expand",
"hash": "cdb41603c95ccf03fe49f86907291088c716edbb"
}
and the Wordpress plugin enqueues the script, leading to the following html code
<script type="text/javascript" src="https://cdn.weglot.com/switchers/vertical_expand.cdb41603c95ccf03fe49f86907291088c716edbb.min.js" id="weglot-switcher-vertical_expand-js"></script>
I suggest that Weglot adds an “integrity hash” (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)
in the API /projects/settings
response :
"template": {
"name": "vertical_expand",
"hash": "cdb41603c95ccf03fe49f86907291088c716edbb",
"integrity": "sha384-TAPLQl0pRyCIFzEaQ0Z2+W4RUj3412BfkvNwPKnIVEktcgjJaHR/L2cEbCt3V8d7"
}
And Wordpress plugin can then generate a safe <script>
tag :
<script src="https://cdn.weglot.com/switchers/vertical_expand.cdb41603c95ccf03fe49f86907291088c716edbb.min.js"
integrity="sha384-TAPLQl0pRyCIFzEaQ0Z2+W4RUj3412BfkvNwPKnIVEktcgjJaHR/L2cEbCt3V8d7"
crossorigin="anonymous"></script>
This is especially important in a time where showcase websites are used for automatically grading the security of companies, with tools like SecurityScoreCard.
Thanks for your feedback, this has been planned by our dev team.