documentation icon indicating copy to clipboard operation
documentation copied to clipboard
verified publisher icon plotly

Add integrity hash to <script> in CDN

Open jorgecarleitao opened this issue 6 years ago • 2 comments

Integrity check is important to reduce the attack surface, specially for plotly on which critical data can flow through a JS client.

This issue proposes adding an "integrity" attribute to the links specified here: https://plot.ly/javascript/getting-started/#plotlyjs-cdn

jorgecarleitao avatar Apr 30 '19 14:04 jorgecarleitao

Hi,

is there any work around this?

shivam017arora avatar Nov 09 '21 10:11 shivam017arora

I'm surprised this is still open. The various applications where I use Plotly all get flagged by the popular security scanners for not having an "integrity" attribute.

@shivam017arora, the workaround is to grab a copy of plotly-latest.min.js, verify its contents, and serve it yourself along with your application.

nutjob4life avatar Dec 14 '22 16:12 nutjob4life