Subresource Integrity?

  • Resolved Jason Lefkowitz

    (@jalefkowit)


    6 years, 8 months ago

    Is there a way to configure CTF so that it loads external resources from Twitter (e.g. platform.twitter.com/widgets.js) using Subresource Integrity (SRI)? This would guarantee that the script the browser downloads hasn’t been tampered with.

    Our site has to be PCI compliant, and the compliance auditors have started flagging external resources loaded without SRI as a compliance-breaking problem, so this is not an academic concern for us. We’ll either need to find a way to make CTF load its resources with SRI or drop the plugin altogether.

    Thanks in advance for any help you can provide!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor Craig at Smash Balloon

    (@craig-at-smash-balloon)

    6 years, 8 months ago

    Hey Jason,

    Sorry for the delay! I think we will change how this works in an update. We should have something very soon!

    Let me know if you have more questions.

    Thanks,

    Craig

    Plugin Contributor Craig at Smash Balloon

    (@craig-at-smash-balloon)

    6 years, 7 months ago

    I just wanted to let you know that this has been fixed/changed in the update pushed out today. You can even completely disable the widgets.js code using a setting on the “Customize” tab if you wish.

    Thread Starter Jason Lefkowitz

    (@jalefkowit)

    6 years, 7 months ago

    Terrific! Thanks so much for your responsiveness on this, I’m looking forward to pulling down the update and checking it out.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Subresource Integrity?’ is closed to new replies.