Skip to content
This repository has been archived by the owner on May 16, 2024. It is now read-only.

Subresource Integrity advice #78

Open
soulgalore opened this issue Apr 17, 2016 · 5 comments
Open

Subresource Integrity advice #78

soulgalore opened this issue Apr 17, 2016 · 5 comments

Comments

@soulgalore
Copy link
Member

soulgalore commented Apr 17, 2016

As reported by @tobli this could be something for the coach:
https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/
https://hacks.mozilla.org/2016/04/how-to-implement-sri-into-your-build-process/

We could add an advice a put it in the best practice category for now.

@jdorfman
Copy link

@soulgalore First I want to say how amazing this product is. Especially the little big details such as:

The page is using SPDY. Chrome will drop support for SPDY May 15th. Change to HTTP/2 asap.

Would you like the advice as a PR or a User Story written in Gherkin Lang? Let me know, can't wait to get this in.

@soulgalore
Copy link
Member Author

thanks @jdorfman :) The good thing I think is that we know that something like the coach is never finished so will continue to add/change advice when browsers evolve.

If you could implement it and send a PR that would be great! @tobli and my work on sitespeed.io 4.0 will keep us busy for the coming months so if you have time to implement it, it would be great! And we can help out of course, there can be some docs that are missing. Ping me on Twitter/email or this issue :)

@jdorfman
Copy link

I think @jonathanKingston might be able to get this done faster than I can. I am going to send him an email.

@jonathanKingston
Copy link

Hey @jdorfman we should start an SRI anonymous club :). Thanks for pinging me.

I don't have the greatest amount of time at the moment however we can kick of the conversation at least.

Checking for validity probably makes sense here and advising if they have it wrong (not sure if multiple states for the message are exposable on the report card at the moment)

  • You have scripts without SRI, consider using
  • SRI setup is invalid
  • Well done etc.

For security related tests the amazing https://github.com/mozilla/http-observatory by @marumari is worth checking out as there will be massive overlap.

@XhmikosR
Copy link
Contributor

I tried looking into this but since I'm on Windows I'm hitting #119.

Once that's sorted, perhaps with #118 for automated Windows testing, I will try to take a stab at this.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants