From 175028acede6de7b311b0a8fc5b7dee9cee4857b Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 15 Jul 2026 17:08:44 +0000 Subject: [PATCH 1/2] docs: document per-script disable-sri for remote js scripts Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- fern/products/docs/pages/changelog/2026-07-15.mdx | 14 ++++++++++++++ .../docs/pages/customization/custom-css-js.mdx | 13 +++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 fern/products/docs/pages/changelog/2026-07-15.mdx diff --git a/fern/products/docs/pages/changelog/2026-07-15.mdx b/fern/products/docs/pages/changelog/2026-07-15.mdx new file mode 100644 index 000000000..9fe0b7c1b --- /dev/null +++ b/fern/products/docs/pages/changelog/2026-07-15.mdx @@ -0,0 +1,14 @@ +## Opt remote scripts out of SRI + +customization, docs.yml, security + +Fern adds a Subresource Integrity (SRI) `integrity` attribute to remote `js` scripts by default. You can now set `disable-sri: true` on a specific remote script to render it without an `integrity` attribute, which is required for scripts whose content changes at the same URL. + +```yaml title="docs.yml" +js: + - url: https://cdn.example.com/a.js + disable-sri: true # rendered without an integrity attribute + - url: https://cdn.example.com/b.js # still gets SRI (default) +``` + + diff --git a/fern/products/docs/pages/customization/custom-css-js.mdx b/fern/products/docs/pages/customization/custom-css-js.mdx index d770ce353..faa46642f 100644 --- a/fern/products/docs/pages/customization/custom-css-js.mdx +++ b/fern/products/docs/pages/customization/custom-css-js.mdx @@ -414,6 +414,19 @@ js: ``` +### Subresource integrity + +Fern adds a [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) `integrity` attribute (and `crossorigin`) to remote `js` scripts so the browser verifies the fetched file matches an expected hash. Set `disable-sri: true` on a remote script to render it without an `integrity` attribute. This is required for scripts whose content changes at the same URL. + + +```yaml +js: + - url: https://cdn.example.com/a.js + disable-sri: true # rendered without an integrity attribute + - url: https://cdn.example.com/b.js # still gets SRI (default) +``` + + ### Common use cases - **Third-party integrations:** For tools not natively supported in `docs.yml`, add analytics, session recording, support widgets, or tag managers by pasting their embed snippets into your custom JS file. See [Integrating third-party tools](/learn/docs/integrations/overview#connect-other-integrations-via-custom-javascript) for supported tools and examples. From 850c33c6c634dc2d90eb8cba9608de041f109aef Mon Sep 17 00:00:00 2001 From: Devin Logan Date: Thu, 16 Jul 2026 14:58:02 -0400 Subject: [PATCH 2/2] update text --- .../docs/pages/changelog/2026-07-15.mdx | 4 ++-- .../pages/customization/custom-css-js.mdx | 24 ++++++++----------- 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/fern/products/docs/pages/changelog/2026-07-15.mdx b/fern/products/docs/pages/changelog/2026-07-15.mdx index 9fe0b7c1b..9a962b0fa 100644 --- a/fern/products/docs/pages/changelog/2026-07-15.mdx +++ b/fern/products/docs/pages/changelog/2026-07-15.mdx @@ -2,7 +2,7 @@ customization, docs.yml, security -Fern adds a Subresource Integrity (SRI) `integrity` attribute to remote `js` scripts by default. You can now set `disable-sri: true` on a specific remote script to render it without an `integrity` attribute, which is required for scripts whose content changes at the same URL. +Fern adds a Subresource Integrity (SRI) `integrity` attribute to remote `js` scripts by default. You can now disable SRI on a specific remote script without turning it off globally. Disable it for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block. ```yaml title="docs.yml" js: @@ -11,4 +11,4 @@ js: - url: https://cdn.example.com/b.js # still gets SRI (default) ``` - + diff --git a/fern/products/docs/pages/customization/custom-css-js.mdx b/fern/products/docs/pages/customization/custom-css-js.mdx index faa46642f..1b9f1ef66 100644 --- a/fern/products/docs/pages/customization/custom-css-js.mdx +++ b/fern/products/docs/pages/customization/custom-css-js.mdx @@ -399,34 +399,30 @@ js: -We use `path` for local sources and `url` for remote sources. +Use `path` for local sources and `url` for remote sources. Remote scripts get [Subresource Integrity](#properties) protection by default. -### Strategy - -Optionally, specify the strategy for each custom JavaScript file. Choose from `beforeInteractive`, `afterInteractive` (default), and `lazyOnload`. +### Properties ```yaml js: - path: path/to/another/js/file.js strategy: beforeInteractive -``` - - -### Subresource integrity - -Fern adds a [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) `integrity` attribute (and `crossorigin`) to remote `js` scripts so the browser verifies the fetched file matches an expected hash. Set `disable-sri: true` on a remote script to render it without an `integrity` attribute. This is required for scripts whose content changes at the same URL. - - -```yaml -js: - url: https://cdn.example.com/a.js disable-sri: true # rendered without an integrity attribute - url: https://cdn.example.com/b.js # still gets SRI (default) ``` + + When the script loads. + + + + Opts a remote script out of [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity). By default, Fern adds an `integrity` attribute (and `crossorigin`) to remote scripts, so the browser only runs a script whose content matches the expected hash. Set to `true` for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block. + + ### Common use cases - **Third-party integrations:** For tools not natively supported in `docs.yml`, add analytics, session recording, support widgets, or tag managers by pasting their embed snippets into your custom JS file. See [Integrating third-party tools](/learn/docs/integrations/overview#connect-other-integrations-via-custom-javascript) for supported tools and examples.