RapiDoc icon indicating copy to clipboard operation
RapiDoc copied to clipboard
verified publisher icon rapi-doc

CDN without verifying integrity

Open buzavic opened this issue 4 years ago • 2 comments

In examples, you add script from unpkg: image

But, fetching external resources, for example from a CDN, without verifying their integrity could impact the security of an application if the CDN gets compromised and resources are replaced by malicious ones. Resources integrity feature will block resources inclusion into an application if the pre-computed digest of the expected resource doesn't match with the digest of the retrieved resource.

One of the solutions is adding integrity, but I can't find it in your documentation.

<script src="https://unpkg.com/rapidoc/dist/rapidoc-min.js" integrity="sha384-xxxxkfkfDFddfxczlxflzxxxx"></script>

buzavic avatar Nov 05 '21 10:11 buzavic

I think that's probably to avoid having to change the integrity hash every time RapiDoc is updated. Otherwise we'd have to constantly update the file hash for every example.

Also, the solution you proposed doesn't specify RapiDoc version, so it would break whenever RapiDoc is updated. A more reliable variant would be:

<script src="https://unpkg.com/[email protected]/dist/rapidoc-min.js"
  integrity="sha384-RXohSlTwmTZzCgRU7HbPyQ8B6ERVSi4WWSbhOFT0z5j0C87kGhwrDERh9c3OIVPi"
  crossorigin="anonymous"></script>

marshallwp avatar Nov 22 '21 23:11 marshallwp

What is the general solution to this problem? It basically makes it impossible to use the quickstart tutorial. What are the recommended alternatives?

julienrf avatar Feb 16 '22 15:02 julienrf