diff --git a/fern/products/docs/pages/changelog/2026-07-15.mdx b/fern/products/docs/pages/changelog/2026-07-15.mdx new file mode 100644 index 000000000..9a962b0fa --- /dev/null +++ b/fern/products/docs/pages/changelog/2026-07-15.mdx @@ -0,0 +1,14 @@ +## Opt remote scripts out of SRI + +customization, docs.yml, security + +Fern adds a Subresource Integrity (SRI) `integrity` attribute to remote `js` scripts by default. You can now disable SRI on a specific remote script without turning it off globally. Disable it for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block. + +```yaml title="docs.yml" +js: + - url: https://cdn.example.com/a.js + disable-sri: true # rendered without an integrity attribute + - url: https://cdn.example.com/b.js # still gets SRI (default) +``` + + diff --git a/fern/products/docs/pages/customization/custom-css-js.mdx b/fern/products/docs/pages/customization/custom-css-js.mdx index d770ce353..1b9f1ef66 100644 --- a/fern/products/docs/pages/customization/custom-css-js.mdx +++ b/fern/products/docs/pages/customization/custom-css-js.mdx @@ -399,21 +399,30 @@ js: -We use `path` for local sources and `url` for remote sources. +Use `path` for local sources and `url` for remote sources. Remote scripts get [Subresource Integrity](#properties) protection by default. -### Strategy - -Optionally, specify the strategy for each custom JavaScript file. Choose from `beforeInteractive`, `afterInteractive` (default), and `lazyOnload`. +### Properties ```yaml js: - path: path/to/another/js/file.js strategy: beforeInteractive + - url: https://cdn.example.com/a.js + disable-sri: true # rendered without an integrity attribute + - url: https://cdn.example.com/b.js # still gets SRI (default) ``` + + When the script loads. + + + + Opts a remote script out of [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity). By default, Fern adds an `integrity` attribute (and `crossorigin`) to remote scripts, so the browser only runs a script whose content matches the expected hash. Set to `true` for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block. + + ### Common use cases - **Third-party integrations:** For tools not natively supported in `docs.yml`, add analytics, session recording, support widgets, or tag managers by pasting their embed snippets into your custom JS file. See [Integrating third-party tools](/learn/docs/integrations/overview#connect-other-integrations-via-custom-javascript) for supported tools and examples.