Add SRI integrity hashes to CDN resources in docs HTML files (2.x)#593
Add SRI integrity hashes to CDN resources in docs HTML files (2.x)#593
Conversation
Agent-Logs-Url: https://github.com/PECE-project/drupal-pece/sessions/58c260ad-26ed-49dc-b2aa-0c3e3c7560d4 Co-authored-by: revagomes <201890+revagomes@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds Subresource Integrity (SRI) attributes to externally loaded Highlight.js assets in the MkDocs-generated documentation HTML, to reduce CDN supply-chain risk on the 2.x branch.
Changes:
- Added
integrityandcrossorigin="anonymous"to the Highlight.js CDN stylesheet<link>. - Added
integrityandcrossorigin="anonymous"to the Highlight.js CDN script<script>.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| docs/source/site/usersguide/index.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
| docs/source/site/search.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
| docs/source/site/legal/index.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
| docs/source/site/installation/index.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
| docs/source/site/index.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
| docs/source/site/gettingstarted/index.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
| docs/source/site/datamanagement/index.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
| docs/source/site/contributors/index.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
| docs/source/site/about/index.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
| docs/source/site/404.html | Adds SRI + crossorigin to Highlight.js CDN CSS/JS includes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Agent-Logs-Url: https://github.com/PECE-project/drupal-pece/sessions/9ded3148-765a-44ba-9a26-8e78e29ab016 Co-authored-by: revagomes <201890+revagomes@users.noreply.github.com>
Agent-Logs-Url: https://github.com/PECE-project/drupal-pece/sessions/9ded3148-765a-44ba-9a26-8e78e29ab016 Co-authored-by: revagomes <201890+revagomes@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…cure) Agent-Logs-Url: https://github.com/PECE-project/drupal-pece/sessions/c24e70b1-149b-4e7b-ae65-5b5dfcefa6a0 Co-authored-by: revagomes <201890+revagomes@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/languages/{{lang}}.min.js" integrity="{{ hljs_lang_sri[lang] }}" crossorigin="anonymous"></script> | ||
| {%- endif %} | ||
| {%- endfor %} | ||
| <script>hljs.initHighlightingOnLoad();</script> |
There was a problem hiding this comment.
hljs.initHighlightingOnLoad() is called unconditionally right after loading highlight.js. If the CDN script fails to load (e.g., SRI mismatch, network block), this will throw a ReferenceError (hljs is undefined) and clutter the console. Consider guarding the call (e.g., check window.hljs before invoking) so the page degrades cleanly when highlighting is unavailable.
| <script>hljs.initHighlightingOnLoad();</script> | |
| <script> | |
| if (window.hljs && typeof window.hljs.initHighlightingOnLoad === 'function') { | |
| window.hljs.initHighlightingOnLoad(); | |
| } | |
| </script> |
Summary
Adds Subresource Integrity (SRI)
integrityandcrossorigin="anonymous"attributes to all HTML tags that load external CDN resources in the documentation site files, to prevent supply-chain attacks.This mirrors the same security measures already applied on the
gh-pagesbranch (seecopilot/fix-docs-html-attributes), now applied to the2.xbranch.Changes
Added SRI
integrityhashes andcrossorigin="anonymous"to all CDN resource tags in 10 HTML files underdocs/source/site/://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/github.min.css→integrity="sha384-WtUWHyk39lfUpZQVgokNfSKCJaKAeD6adgLduBLrKTMUuPzFhLtL23y1guFy6lZn"//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js→integrity="sha384-ZeLYJ2PNSQjvogWP559CDAf02Qb8FE5OyQicqtz/+UhZutbrwyr87Be7NPH/RgyC"Added
docs/source/custom_theme/base.html— a MkDocs theme override (based on the MkDocs 1.0.4 readthedocsbase.html) with the SRIintegrityandcrossoriginattributes included on both CDN tags, so futuremkdocs buildruns preserve the security hardening automatically. The template also uses a fail-secure pattern for thehljs_languagesfor loop: additional language files are only loaded when their pre-verified SRI hash is present in ahljs_lang_sridictionary defined in the template. Languages without a known hash are skipped rather than loaded without integrity verification. Any futurehljs_languagesentry inmkdocs.ymlmust have a corresponding hash added to the template dictionary before it will be served.Updated
docs/source/mkdocs.ymlto usecustom_dir: custom_theme, enabling the template override on every rebuild.Note: The Google Fonts
<link>tags are intentionally left unchanged, as Google Fonts serves dynamically-generated CSS (varying by browser user-agent) which cannot have a stable, pre-computed SRI hash.SRI Hash Verification
The SRI hashes were computed from the exact bytes stored in the cdnjs GitHub repository, verified against the git blob SHA values:
github.min.cssblob SHA:5477a1b9d6ab51515f7fa40df696ce06137350f5✅highlight.min.jsblob SHA:f30a334c9d15d3d6e85a5c6b06f4ab915dfea344✅