Skip to content
This repository has been archived by the owner on Nov 4, 2024. It is now read-only.

Subresource Integrity warning for scripts with data-uri #455

Open
exyi opened this issue Nov 4, 2021 · 0 comments · May be fixed by #493
Open

Subresource Integrity warning for scripts with data-uri #455

exyi opened this issue Nov 4, 2021 · 0 comments · May be fixed by #493

Comments

@exyi
Copy link

exyi commented Nov 4, 2021

I get this warning: "Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//...", even though the only script on my page is:

<script src="data:text/javascript;base64,YWxlcnQoMSkK" type=text/javascript></script>

This is the website I tested it on: https://observatory.mozilla.org/analyze/exyi.cz

I don't want to stop using the base64 inline scripts - it allows them to have defer attribute and provides less opportunities for exploitation JSON encoded data in the script by injecting </script> in a string
@exyi exyi linked a pull request Jan 25, 2023 that will close this issue
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SRI: don't complain about data URIs exyi/http-observatory
1 participant
@exyi