Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add SRI to hotlinking examples
See original GitHub issueGiven the security implications of pyscript, it makes sense to recommend SRI when hotlinking pyscript.js:
<script
defer
src="https://pyscript.net/alpha/pyscript.js"
integrity="sha384-IwRwL1M346tP5zp9BKvjinCQC8x78+d+KCeRonZ6gO4XgSBop4cJegZ+SV++AhMR"
crossorigin="anonymous"
></script>
Integrity check was calculated successfully as follows:
$ curl https://pyscript.net/alpha/pyscript.js | openssl dgst -sha384 -binary | openssl base64 -A
IwRwL1M346tP5zp9BKvjinCQC8x78+d+KCeRonZ6gO4XgSBop4cJegZ+SV++AhMR
Of course this will create issues when updating pyscript.js, so these links really should be version-pinned (I assume that’s what /alpha/ means in this context).
Issue Analytics
- State:
- Created a year ago
- Reactions:3
- Comments:10
Top Results From Across the Web
Hotlinking: What Is It and Why Is It Bad? - Hostinger
Hotlinking might seem an easy way to acquire website assets, but in reality, it brings several disadvantages. Learn here how to avoid it....
Read more >[FEATURE] Versioned CDN URLs instead of hosting on pyscript.net ...
As an example, Pyodide's getting started tutorial directs users to use this jsdelivr URL: ... Add SRI to hotlinking examples #326.
Read more >How to Prevent Hotlinking in WordPress (7 Easy Methods)
In this tutorial, you'll learn what hotlinking is, why it is bad, and how to easily prevent hotlinking on your WordPress site to...
Read more >Bypass hotlink cc
Command + Shift + M: Minimize meeting. net and it worked like charm. Anonfile is a pretty simple service that offers a generous...
Read more >Enable and Disable HotLink Protection | HostGator Support
An example of hotlinking. Say I like the image on your website, and I want that image on my site. If I use...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
An example:
pyscript.jsusing only the recommended method:<script defer src="https://pyscript.net/alpha/pyscript.js"></script>pyscript.jsThis is not a theoretical example, let’s say you want to build an app that encrypts data. How could you know that you weren’t interacting with malware that was stealing your private keys? SRI is built to solve this problem (and many others).
They are the same security implications that would exist with any third party dependency (example: bootstrap). SRI exists to help ensure the integrity of the software aka: “This software came from vendor_x (whom I have implicit trust in) because it included hash_y in the official release of the software”
This would certainly make people more comfortable about including pyscript in their websites since it would minimize the impact of the source of the pyscript files being compromised since any compromise would (in 99.999999999999999999999% of the time) produce a hash different from the one in the website thus failing the integrity check.