Sentry-javascript: Raven.js Documentation Should Adopt Subresource Integrity (SRI)
According to MDN, "Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match."
I believe that automatically generating and adding SRI hashes to the documentation would provide a real benefit to Sentry.io users. For example, in JavaScript/Installation, one would change:
<script src="https://cdn.ravenjs.com/3.15.0/raven.min.js"></script>
to
<script src="https://cdn.ravenjs.com/3.15.0/raven.min.js" integrity="sha384-emluOS7+UrA6MIOAWxw8L52iFpZNh7+i1kKBfkofwZJn/s66JpKS9gR1ZMOwiayX" crossorigin="anonymous"></script>
If others users wish to adopt this quickly, I generated the integrity hash via SRI Hash Generator and verified via MDN: Tools for generating SRI hashes. Now, figuring out how to automatically generate and insert it into the documentation would be up to you.
AtomicSpark
All 9 comments
We agree, and we'll make it happen.
benvinegar
on 21 Jul 2017
I'm keen on this feature; would there be anything we could do PR-wise to speed it along?
M1ke
on 1 Jul 2018
Thanks, @M1ke, however right now we're in the process of rolling out v4 of our SDKs. We'll definitely get back to this issue one day :)
kamilogorek
on 2 Jul 2018
@benvinegar @kamilogorek any updates on this?
In the meantime, can you guarantee that the current URLs will never change content, so that we can start using this even though it's not documented? e.g.
<script src="https://browser.sentry-cdn.com/4.3.0/bundle.min.js" integrity="sha384-cOcwme53k92SVDcGENwB19CkMgqrWCk7uwWQj+Wk7ojGnnHsDtE7NZHHyIuls0lp" crossorigin="anonymous"></script>
LinusU
on 12 Nov 2018
can you guarantee that the current URLs will never change content
Yes, that's a guarantee.
kamilogorek
on 13 Nov 2018
Afternoon Folks 👋
Was any progress on this ever made? We've just been through a security audit and the lack of SRI on the sentry/raven script got flagged, only minor, but would be nice to cover it off.
SirRawlins
on 14 Jun 2019
@SirRawlins I'll make sure to escalate this issue on Monday and will try to deliver it next week. Already put it on my schedule! :)
kamilogorek
on 5 Jul 2019
@SirRawlins starting version 5.5.0, our browser SDK hosted on CDN has integrity checksums included - https://docs.sentry.io/platforms/javascript/ :)
kamilogorek
on 26 Jul 2019
That is awesome Kamil, thank you so much.
On Fri, 26 Jul 2019, 13:13 Kamil Ogórek, notifications@github.com wrote:
@SirRawlins https://github.com/SirRawlins starting version 5.5.0, our
browser SDK hosted on CDN has integrity checksums included -
https://docs.sentry.io/platforms/javascript/ :)—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/getsentry/sentry-javascript/issues/966?email_source=notifications&email_token=AAFWEK5P5OPRGKVNHXZDW6DQBLS45A5CNFSM4DNA6V4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD24MYDY#issuecomment-515427343,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAFWEKY4KIHSM37J6VGCBUTQBLS45ANCNFSM4DNA6V4A
.
SirRawlins
on 26 Jul 2019
Related issues
franciscovelez
·
3Comments
adepue
·
3Comments
simllll
·
3Comments
jaylinski
·
3Comments
zishon89us
·
3Comments
Most helpful comment
@SirRawlins starting version
5.5.0, our browser SDK hosted on CDN has integrity checksums included - https://docs.sentry.io/platforms/javascript/ :)