Create-react-app: Add support for SRI (Subresource Integrity)
SRI used to be supported in CRA (facebook/create-react-app#1176) but it was removed because of some incompatibilities (facebook/create-react-app#1231).
Could we re-add SRI support in CRA? I feel like the reasons given in #1231 could be solved.
willdurand
All 8 comments
Here are some benefits of SRI:
- It protects against CDN takeovers. This is important because CDNs are often third party services with separate credentials, etc.
- It adds defense in depth against DNS hijacking
- It adds defense in depth against malicious (or privacy invasive) browser extensions and / or anti-virus software
- It allows you to use a CDN without https more safely. Today, this is not so important since most CDNs use https.
kumar303
on 7 May 2019
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 6 Jun 2019
Well... this issue is rather waiting for constructive comments (not from a bot) :)
willdurand
on 6 Jun 2019
I wonder if taking essentially the same approach as the original one in #1176, but with an env var to disable it if it causes issues (similar to INLINE_RUNTIME_CHUNK for those of use using strict CSP configurations that ban unsafe-inline) would be best? or even off by default with an env var to opt in (although imo making security opt-in isn't the best idea)
cnorthwood
on 17 Jun 2019
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.
stale[bot]
on 17 Jul 2019
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.
Nope.
willdurand
on 18 Jul 2019
Hi all, any headway/updates on this re-roll out? Thanks
murphman300
on 18 Dec 2019
Any updates?
maxburke
on 31 Aug 2020
Related issues
onelson
路
3Comments
Aranir
路
3Comments
alleroux
路
3Comments
stopachka
路
3Comments
fson
路
3Comments
Most helpful comment
I wonder if taking essentially the same approach as the original one in #1176, but with an env var to disable it if it causes issues (similar to
INLINE_RUNTIME_CHUNKfor those of use using strict CSP configurations that banunsafe-inline) would be best? or even off by default with an env var to opt in (although imo making security opt-in isn't the best idea)