SRI is no longer available for recent releases. I'm stuck on an old version of FA if I want SRI.
I'd like to know why it was removed in the first place.
In order to achieve PCI compliance all my scripts/css need to have SRI.
laxdragon
All 9 comments
Hi!
Thanks for being part of the Font Awesome Community.
You mean SRI in kits, correct?
IIRC there are plans to introduce them, but I cannot find the original issue.
A problem with kits is that they are user configurable, so they have a short expiry time (600 secs). A legit change in the kit configuration will invalidate the SRI and cause issues.
About the CDN, we still have SRI for the CDN, but we are also sunsetting the official CDN in favor of Kits.
If you are log in at fontawesome.com, you should be able to access the CDN page at https://fontawesome.com/account/cdn (the link is visible in the user menu)
There are also third-party CDNs offering SRI: https://cdnjs.com/libraries/font-awesome
@robmadole any thoughts?
tagliala
on 23 May 2020
You mean SRI in
kits, correct?
Yes, I am paying to use the kits to get access to all the icons and whatnot. But as it stands now I'm stuck on a 5.11.2 kit as if I try to update it it will disable SRI.
So.. I want to get accesses to what I'm paying for while keeping SRI. I'd be willing to the cdnjs.com, but then that will revert me back to the free version yes?
laxdragon
on 26 May 2020
Yes, I am paying to use the kits to get access to all the icons and whatnot.
In the opening message there was no mention of Font Awesome Pro
I'd be willing to the cdnjs.com, but then that will revert me back to the free version yes?
Yes, switching to a third-party CDN will revert to free version.
The official Pro CDN is still available with SRI at this link: https://fontawesome.com/account/cdn, but since you are using Pro Kits, let's ask @robmadole if something has changed recently
tagliala
on 26 May 2020
@laxdragon what I'd recommend is using the Font Awesome Pro Subsetter. You can get it from the download page https://fontawesome.com/download.
As @tagliala mentioned the Kits product is not designed to be used with SRI. This is a decision we made to get some of the other features of Kits finished and to prepare for some future plans. We knew that for some people who require either SRI or CSP that means they cannot use Kits. We have a lot of other ways to use Font Awesome and this trade-off was reasonable in our opinion.
robmadole
on 1 Jun 2020
@robmadole did Kits ever had a SRI option before?
tagliala
on 1 Jun 2020
@tagliala yes it did. We deprecated it and no new kits or changes to existing kits support it
robmadole
on 1 Jun 2020
As I mentioned, Kits have SRI NOW, as long as you stick to an older version of a kit. So clearly it had been working, and still works, as long as you stick to an old kit version. In my case I'm still using v5.11.2.
@robmadole I'd much prefer to keep using your CDN, or an alternative for Pro kits. This reduces the upgrade burden on my client side. I only then need to change a single line of code when I want to use a new version. Importing all the individual files to my web structure is something I want to avoid.
I do not understand what the problem of providing an SRI hash is. It is a simple calculation. And regenerating it for each new version is fine IMO.
laxdragon
on 1 Jun 2020
As I mentioned, Kits have SRI NOW, as long as you stick to an older version of a kit. So clearly it had been working, and still works, as long as you stick to an old kit version. In my case I'm still using v5.11.2.
Yeah, absolutely. We'd never willingly break an existing Kit.
I do not understand what the problem of providing an SRI hash is. It is a simple calculation. And regenerating it for each new version is fine IMO.
The technical requirements are not the issue. It's the implicit contract that is created when a user decides to use SRI. It locks the CDN provider into "I will never change this file" and the developer into "I will take responsibility for managing this hash".
These older versions of the kits will not get the newer features we are working on. Our product direction with Kits includes the ability to update the Kit JavaScript frequently. To reduce complexity on the project and management burden on our users we chose to deprecate this feature. While it's true the hash calculation is simple, the management behind it is not. SRI forces us to prevent any changes to a Kit without involving the user. Inadvertent changes to kits have taken production sites down when individuals were not aware of some of the pitfalls (we have support threads). We looked at the overall percentage of Kits using SRI at the time we made this decision and it was so low that the cons outweighed the pros.
Hope that adds some answers to your questions.
robmadole
on 1 Jun 2020
SRI forces us to prevent any changes to a Kit without involving the user.
You should NEVER be pushing changes to a lib without involving the user. Javascript/CSS is not like system libraries. This is the point of SRI. I know I would not want you to make changes to a file I linked to without my knowledge.
I will stay on 5.11 then, as I don't see another option beyond self hosting. If I go the self-hosted download route, you should offer a lower priced tier, as a big part of the reason for paying for pro is hosting.
laxdragon
on 1 Jun 2020
Related issues
jakuuub
路
3Comments
huuphat
路
3Comments
ghost
路
3Comments
desspro
路
3Comments
Eschwinm
路
3Comments
Most helpful comment
You should NEVER be pushing changes to a lib without involving the user. Javascript/CSS is not like system libraries. This is the point of SRI. I know I would not want you to make changes to a file I linked to without my knowledge.
I will stay on 5.11 then, as I don't see another option beyond self hosting. If I go the self-hosted download route, you should offer a lower priced tier, as a big part of the reason for paying for pro is hosting.