Sorry, we don't support your browser.  Install a modern browser

Load CDN scripts following Subresource Integrity best practices#257

P

Currently, project settings endpoint returns the template to load, for instance :

"template": {
  "name": "vertical_expand",
  "hash": "cdb41603c95ccf03fe49f86907291088c716edbb"
}

and the Wordpress plugin enqueues the script, leading to the following html code

<script type="text/javascript" src="https://cdn.weglot.com/switchers/vertical_expand.cdb41603c95ccf03fe49f86907291088c716edbb.min.js" id="weglot-switcher-vertical_expand-js"></script>

I suggest that Weglot adds an “integrity hash” (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)
in the API /projects/settings response :

"template": {
  "name": "vertical_expand",
  "hash": "cdb41603c95ccf03fe49f86907291088c716edbb",
  "integrity": "sha384-TAPLQl0pRyCIFzEaQ0Z2+W4RUj3412BfkvNwPKnIVEktcgjJaHR/L2cEbCt3V8d7"
}

And Wordpress plugin can then generate a safe <script> tag :

<script src="https://cdn.weglot.com/switchers/vertical_expand.cdb41603c95ccf03fe49f86907291088c716edbb.min.js"
  integrity="sha384-TAPLQl0pRyCIFzEaQ0Z2+W4RUj3412BfkvNwPKnIVEktcgjJaHR/L2cEbCt3V8d7"
  crossorigin="anonymous"></script>

This is especially important in a time where showcase websites are used for automatically grading the security of companies, with tools like SecurityScoreCard.

a month ago
1
Changed the status to
Planned
a month ago

Thanks for your feedback, this has been planned by our dev team.

a month ago