Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions fern/products/docs/pages/changelog/2026-07-15.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
## Opt remote scripts out of SRI

<ChangelogTags>customization, docs.yml, security</ChangelogTags>

Fern adds a Subresource Integrity (SRI) `integrity` attribute to remote `js` scripts by default. You can now disable SRI on a specific remote script without turning it off globally. Disable it for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block.

```yaml title="docs.yml"
js:
- url: https://cdn.example.com/a.js
disable-sri: true # rendered without an integrity attribute
- url: https://cdn.example.com/b.js # still gets SRI (default)
```

<Button intent="none" outlined rightIcon="arrow-right" href="/learn/docs/customization/custom-css-js#disable-sri">Read the docs</Button>
17 changes: 13 additions & 4 deletions fern/products/docs/pages/customization/custom-css-js.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -399,21 +399,30 @@ js:
</CodeBlock>

<Note>
We use `path` for local sources and `url` for remote sources.
Use `path` for local sources and `url` for remote sources. Remote scripts get [Subresource Integrity](#properties) protection by default.
</Note>

### Strategy

Optionally, specify the strategy for each custom JavaScript file. Choose from `beforeInteractive`, `afterInteractive` (default), and `lazyOnload`.
### Properties

<CodeBlock title="docs.yml">
```yaml
js:
- path: path/to/another/js/file.js
strategy: beforeInteractive
- url: https://cdn.example.com/a.js
disable-sri: true # rendered without an integrity attribute
- url: https://cdn.example.com/b.js # still gets SRI (default)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📝 [vale] reported by reviewdog 🐶
[FernStyles.Acronyms] 'SRI' has no definition.

```
</CodeBlock>

<ParamField path="strategy" type="'beforeInteractive' | 'afterInteractive' | 'lazyOnload'" required={false} default="afterInteractive" toc={true}>
When the script loads.
</ParamField>

<ParamField path="disable-sri" type="boolean" required={false} default="false" toc={true}>
Opts a remote script out of [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity). By default, Fern adds an `integrity` attribute (and `crossorigin`) to remote scripts, so the browser only runs a script whose content matches the expected hash. Set to `true` for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block.
</ParamField>

### Common use cases

- **Third-party integrations:** For tools not natively supported in `docs.yml`, add analytics, session recording, support widgets, or tag managers by pasting their embed snippets into your custom JS file. See [Integrating third-party tools](/learn/docs/integrations/overview#connect-other-integrations-via-custom-javascript) for supported tools and examples.
Expand Down
Loading