docs: add SRI hash to CDN-loaded Redoc script#46
Open
dmchaledev wants to merge 1 commit into
Open
Conversation
The published API docs page (docs/index.html) loads redoc.standalone.js from the jsdelivr CDN with no integrity check, so a compromised or tampered CDN response would execute unmodified on the public GitHub Pages site. The repo already pins Redoc to an exact version (72a5ab9); this pairs that pin with a matching sha384 SRI hash plus crossorigin="anonymous" so the browser refuses to run the script if its bytes ever diverge from what was verified. Confirmed the file's SHA-256 matches jsdelivr's own recorded hash for the pinned version, and that jsdelivr serves Access-Control-Allow-Origin: * so the crossorigin fetch succeeds. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01VdzPV1XRNcdyiwo4NKvNy8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/index.html(the page served at the public GitHub Pages API reference) loadsredoc.standalone.jsfrom the jsdelivr CDN with no integrity check. If that CDN response were ever tampered with or the version's published bytes changed, the browser would execute it unmodified on the live docs site.This adds Subresource Integrity to the existing pinned-version
<script>tag:This follows the same spirit as the earlier "Pin Redoc and Spectral CLI to exact versions" change — pinning the version alone doesn't prevent a compromised/altered CDN response from executing; SRI does.
Verification
redoc@2.5.3/bundles/redoc.standalone.jsfrom jsdelivr and computed its SHA-384 for theintegrityattribute.data.jsdelivr.com) — they match, plus the byte size matches (1,097,271 bytes), confirming the hash corresponds to the file currently served.Access-Control-Allow-Origin: *, socrossorigin="anonymous"won't block the script load in real browsers.Test plan
Generated by Claude Code