Skip to content

docs: add SRI hash to CDN-loaded Redoc script#46

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/elegant-edison-4uwr06
Open

docs: add SRI hash to CDN-loaded Redoc script#46
dmchaledev wants to merge 1 commit into
mainfrom
claude/elegant-edison-4uwr06

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

docs/index.html (the page served at the public GitHub Pages API reference) loads redoc.standalone.js from the jsdelivr CDN with no integrity check. If that CDN response were ever tampered with or the version's published bytes changed, the browser would execute it unmodified on the live docs site.

This adds Subresource Integrity to the existing pinned-version <script> tag:

<script
  src="https://cdn.jsdelivr.net/npm/redoc@2.5.3/bundles/redoc.standalone.js"
  integrity="sha384-xiEssMQFSpSfLbzRZCGfxxIM5QDb2DTrU6vyoZdp2sV1L6pmOMy6MpTtUoLbpC96"
  crossorigin="anonymous"
></script>

This follows the same spirit as the earlier "Pin Redoc and Spectral CLI to exact versions" change — pinning the version alone doesn't prevent a compromised/altered CDN response from executing; SRI does.

Verification

  • Downloaded redoc@2.5.3/bundles/redoc.standalone.js from jsdelivr and computed its SHA-384 for the integrity attribute.
  • Cross-checked the file's SHA-256 against jsdelivr's own recorded hash for that exact path/version (data.jsdelivr.com) — they match, plus the byte size matches (1,097,271 bytes), confirming the hash corresponds to the file currently served.
  • Confirmed jsdelivr responds with Access-Control-Allow-Origin: *, so crossorigin="anonymous" won't block the script load in real browsers.

Test plan

  • Load the deployed GitHub Pages docs site after merge and confirm both the ASM and SAT Redoc tabs render normally with no console errors.

Generated by Claude Code

The published API docs page (docs/index.html) loads redoc.standalone.js
from the jsdelivr CDN with no integrity check, so a compromised or
tampered CDN response would execute unmodified on the public GitHub
Pages site. The repo already pins Redoc to an exact version (72a5ab9);
this pairs that pin with a matching sha384 SRI hash plus
crossorigin="anonymous" so the browser refuses to run the script if its
bytes ever diverge from what was verified. Confirmed the file's SHA-256
matches jsdelivr's own recorded hash for the pinned version, and that
jsdelivr serves Access-Control-Allow-Origin: * so the crossorigin fetch
succeeds.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VdzPV1XRNcdyiwo4NKvNy8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants