jason1
(jason rousell)
August 3, 2020, 12:00pm
1
Hi,
Our Nessus scanning is complaining about something called Sub Resource Integrity when requesting the prismic script at https://static.cdn.prismic.io/prismic.min.js
Has anyone come across this before, I'm currently wondering where to even start looking.
MDN has the following Subresource Integrity - Web security | MDN
It look like something that would need to be enabled on the Prismic end.
Any pointers much appreciated
Thanks
jason
You need to add an integrity
attribute to the script where you import prismic.min.js
.
Something like this:
<script src="https://cdn.example.com/app.js"
integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB"
crossorigin="anonymous"></script>
Subresource Integrity or SRI is a W3C recommendation to provide a method to protect website delivery. Specifically, it validates assets served by a third party, such as a content delivery network (CDN). This ensures these assets have not been compromised for hostile purposes and was created in response to a number of attacks where CDN-served content was injected with malicious code, compromising thousands of websites using it.
To use SRI, a website author wishing to include a resource from a thi...
2 Likes
jason1
(jason rousell)
August 3, 2020, 12:20pm
3
Hi @marcellothearcane , thanks for that … We’re using Gatsby to generate a static site with content from Prismic, so I guess we should look at trying to inject the above into the Gatsby build process, or maybe use Helmet in the source to add it … you’ve given some food for thought, so thanks.
1 Like
Pau
closed , flag & select 'Something Else' to reopen.
September 25, 2020, 8:15pm
7
This issue has been closed due to inactivity.