Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SRI Hash for jQuery from CDN #2308

Merged
merged 1 commit into from
Jan 17, 2017
Merged

Add SRI Hash for jQuery from CDN #2308

merged 1 commit into from
Jan 17, 2017

Conversation

mik-laj
Copy link
Contributor

@mik-laj mik-laj commented Jan 15, 2017

Hello,

It's a security improvement. You could read more about it on: https://www.srihash.org/

Thanks in advance

@stephengroat
Copy link
Contributor

thanks for the info @mik-laj

i think the idea of the hash is great, but i'm not 100% on the https: added to the src.
seems like https is more of a transport layer configuration issue that should be configured at that layer, not in a application/presentation layer function

@Jawshy Jawshy added the enhancement Issue/PR contains enhancements to the overall code of the site. label Jan 16, 2017
mxxcon
mxxcon approved these changes Jan 16, 2017
View reviewed changes
Copy link
Contributor

@mxxcon mxxcon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stephengroat But we are using HSTS, so pretty much all requests to our site are over HTTPS. Might as well hardcode all external resources to use HTTPS too. There's no drawback if somebody still manages to get to the site using HTTP.

jamcat22
jamcat22 approved these changes Jan 17, 2017
View reviewed changes
Copy link
Member

@jamcat22 jamcat22 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @mxxcon. Additionally, as of v2.1, HTTPS is hardcoded into the configuration file, and any HTTP version of a page is now forced to redirect to the HTTPS version, even in browsers without HSTS support.

@Carlgo11 Carlgo11 merged commit 3470ccc into 2factorauth:master Jan 17, 2017
stephengroat added a commit to stephengroat/twofactorauth that referenced this pull request Jan 18, 2017
@stephengroat
Fix default layout to match 2factorauth#2308
1d2bcdd
@stephengroat stephengroat mentioned this pull request Jan 18, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Carlgo11 Carlgo11 Carlgo11 approved these changes

@jamcat22 jamcat22 jamcat22 approved these changes

@mxxcon mxxcon mxxcon approved these changes

Assignees
No one assigned
Labels
enhancement Issue/PR contains enhancements to the overall code of the site.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mik-laj @stephengroat @mxxcon @jamcat22 @Carlgo11 @Jawshy