Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fingerprinting and SRI ordering issue #5296

Closed
onedrawingperday opened this issue Oct 8, 2018 · 2 comments · Fixed by #5363
Closed

Fingerprinting and SRI ordering issue #5296

onedrawingperday opened this issue Oct 8, 2018 · 2 comments · Fixed by #5363
Labels
Bug Outdated
Milestone
v0.50

Comments

@onedrawingperday
Copy link
Contributor

onedrawingperday commented Oct 8, 2018
edited
Loading

It seems that to generate the SHA value for an inline script we need to wrap it within a {{ if $secureJS.Content }}{{ end }} before accessing the integrity.

Also see related Forum topic: https://discourse.gohugo.io/t/generate-inline-script-sha-for-content-security-policy/14627
@bep bep added the Enhancement label Oct 8, 2018
@bep bep added this to the v0.50 milestone Oct 8, 2018
@bep bep added Bug and removed Enhancement labels Oct 27, 2018
@bep
Copy link
Member

bep commented Oct 27, 2018

I will fix this, but note that in the original problem case, adding MIME type to the script would also work:

<script type="{{ $secureJS.MediaType }}" integrity="{{ $secureJS.Data.Integrity }}">{{ $secureJS.Content | safeJS }}</script>

bep added a commit to bep/hugo that referenced this issue Oct 27, 2018
@bep
resource: Allow .Data.Integrity to be accessed on its own
4b58327 
Fixes gohugoio#5296
@bep bep mentioned this issue Oct 27, 2018
Merged
@bep bep closed this as completed in #5363 Oct 27, 2018
bep added a commit that referenced this issue Oct 27, 2018
@bep
resource: Allow .Data.Integrity to be accessed on its own
b27ccf3 
Fixes #5296
@dependencies dependencies bot mentioned this issue Oct 29, 2018
Closed
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Bug Outdated
Projects
None yet
Milestone
v0.50
Development

Successfully merging a pull request may close this issue.

resource: Allow .Data.Integrity to be accessed on its own bep/hugo
2 participants
@bep @onedrawingperday