From 175028acede6de7b311b0a8fc5b7dee9cee4857b Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Wed, 15 Jul 2026 17:08:44 +0000
Subject: [PATCH 1/2] docs: document per-script disable-sri for remote js
scripts
Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
---
fern/products/docs/pages/changelog/2026-07-15.mdx | 14 ++++++++++++++
.../docs/pages/customization/custom-css-js.mdx | 13 +++++++++++++
2 files changed, 27 insertions(+)
create mode 100644 fern/products/docs/pages/changelog/2026-07-15.mdx
diff --git a/fern/products/docs/pages/changelog/2026-07-15.mdx b/fern/products/docs/pages/changelog/2026-07-15.mdx
new file mode 100644
index 000000000..9fe0b7c1b
--- /dev/null
+++ b/fern/products/docs/pages/changelog/2026-07-15.mdx
@@ -0,0 +1,14 @@
+## Opt remote scripts out of SRI
+
+customization, docs.yml, security
+
+Fern adds a Subresource Integrity (SRI) `integrity` attribute to remote `js` scripts by default. You can now set `disable-sri: true` on a specific remote script to render it without an `integrity` attribute, which is required for scripts whose content changes at the same URL.
+
+```yaml title="docs.yml"
+js:
+ - url: https://cdn.example.com/a.js
+ disable-sri: true # rendered without an integrity attribute
+ - url: https://cdn.example.com/b.js # still gets SRI (default)
+```
+
+
diff --git a/fern/products/docs/pages/customization/custom-css-js.mdx b/fern/products/docs/pages/customization/custom-css-js.mdx
index d770ce353..faa46642f 100644
--- a/fern/products/docs/pages/customization/custom-css-js.mdx
+++ b/fern/products/docs/pages/customization/custom-css-js.mdx
@@ -414,6 +414,19 @@ js:
```
+### Subresource integrity
+
+Fern adds a [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) `integrity` attribute (and `crossorigin`) to remote `js` scripts so the browser verifies the fetched file matches an expected hash. Set `disable-sri: true` on a remote script to render it without an `integrity` attribute. This is required for scripts whose content changes at the same URL.
+
+
+```yaml
+js:
+ - url: https://cdn.example.com/a.js
+ disable-sri: true # rendered without an integrity attribute
+ - url: https://cdn.example.com/b.js # still gets SRI (default)
+```
+
+
### Common use cases
- **Third-party integrations:** For tools not natively supported in `docs.yml`, add analytics, session recording, support widgets, or tag managers by pasting their embed snippets into your custom JS file. See [Integrating third-party tools](/learn/docs/integrations/overview#connect-other-integrations-via-custom-javascript) for supported tools and examples.
From 850c33c6c634dc2d90eb8cba9608de041f109aef Mon Sep 17 00:00:00 2001
From: Devin Logan
Date: Thu, 16 Jul 2026 14:58:02 -0400
Subject: [PATCH 2/2] update text
---
.../docs/pages/changelog/2026-07-15.mdx | 4 ++--
.../pages/customization/custom-css-js.mdx | 24 ++++++++-----------
2 files changed, 12 insertions(+), 16 deletions(-)
diff --git a/fern/products/docs/pages/changelog/2026-07-15.mdx b/fern/products/docs/pages/changelog/2026-07-15.mdx
index 9fe0b7c1b..9a962b0fa 100644
--- a/fern/products/docs/pages/changelog/2026-07-15.mdx
+++ b/fern/products/docs/pages/changelog/2026-07-15.mdx
@@ -2,7 +2,7 @@
customization, docs.yml, security
-Fern adds a Subresource Integrity (SRI) `integrity` attribute to remote `js` scripts by default. You can now set `disable-sri: true` on a specific remote script to render it without an `integrity` attribute, which is required for scripts whose content changes at the same URL.
+Fern adds a Subresource Integrity (SRI) `integrity` attribute to remote `js` scripts by default. You can now disable SRI on a specific remote script without turning it off globally. Disable it for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block.
```yaml title="docs.yml"
js:
@@ -11,4 +11,4 @@ js:
- url: https://cdn.example.com/b.js # still gets SRI (default)
```
-
+
diff --git a/fern/products/docs/pages/customization/custom-css-js.mdx b/fern/products/docs/pages/customization/custom-css-js.mdx
index faa46642f..1b9f1ef66 100644
--- a/fern/products/docs/pages/customization/custom-css-js.mdx
+++ b/fern/products/docs/pages/customization/custom-css-js.mdx
@@ -399,34 +399,30 @@ js:
-We use `path` for local sources and `url` for remote sources.
+Use `path` for local sources and `url` for remote sources. Remote scripts get [Subresource Integrity](#properties) protection by default.
-### Strategy
-
-Optionally, specify the strategy for each custom JavaScript file. Choose from `beforeInteractive`, `afterInteractive` (default), and `lazyOnload`.
+### Properties
```yaml
js:
- path: path/to/another/js/file.js
strategy: beforeInteractive
-```
-
-
-### Subresource integrity
-
-Fern adds a [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) `integrity` attribute (and `crossorigin`) to remote `js` scripts so the browser verifies the fetched file matches an expected hash. Set `disable-sri: true` on a remote script to render it without an `integrity` attribute. This is required for scripts whose content changes at the same URL.
-
-
-```yaml
-js:
- url: https://cdn.example.com/a.js
disable-sri: true # rendered without an integrity attribute
- url: https://cdn.example.com/b.js # still gets SRI (default)
```
+
+ When the script loads.
+
+
+
+ Opts a remote script out of [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity). By default, Fern adds an `integrity` attribute (and `crossorigin`) to remote scripts, so the browser only runs a script whose content matches the expected hash. Set to `true` for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block.
+
+
### Common use cases
- **Third-party integrations:** For tools not natively supported in `docs.yml`, add analytics, session recording, support widgets, or tag managers by pasting their embed snippets into your custom JS file. See [Integrating third-party tools](/learn/docs/integrations/overview#connect-other-integrations-via-custom-javascript) for supported tools and examples.