Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork2.7k
Add SRI (Subresource Integrity) hash to CDN script tags#5165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Conversation
When include_plotlyjs='cdn', the generated HTML now includes an integrityattribute with a SHA256 hash of the bundled plotly.js content. This providesenhanced security by ensuring the browser verifies the integrity of theCDN-served file.- Added _generate_sri_hash() function to create SHA256 hashes- Modified CDN script tag generation to include integrity and crossorigin attributes- Added comprehensive tests to verify SRI functionality- Updated existing tests to account for new script tag format
… attributesUpdate test template to match actual output which now includes SRI integrityattribute and crossorigin attribute for CDN script tags.🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>
Adjust whitespace after script tag to match actual output and fix CI failures.🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>
- Fix formatting in test_html.py- Fix formatting in test_offline.py- Fix formatting in _html.py🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>
Removed the claude settings entry from .gitignore🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>
@emilykl is this something you'd be able to help review? If you have any thoughts on alternate approaches (e.g. adding a new option |
@marthacryan@T4rk1n well beyond what I understand about safety on the web - please have a look at some point and comment. thanks -@gvwilson |
Thanks! Let me know if there is anything I can help explain about this. The key bit is this helps ensure that the generated HTML can include JS from the CDN while defending against security risks of the CDN getting compromised. Essentially the best of both worlds: The small file size of the |
Uh oh!
There was an error while loading.Please reload this page.
@T4rk1n would you be willing to take another look at this? |
Gentle ping :) Let me know if there is anything I can do to help get this landed. |
Hello! Are you willing to take another look at this PR? |
@ddworken apologies for the delay - we're all tied up withhttps://go.plotly.com/smarter-faster-data-apps-bi at the moment but I hope to get eyes on this some time soon |
Uh oh!
There was an error while loading.Please reload this page.
1ec864b intoplotly:mainUh oh!
There was an error while loading.Please reload this page.
When
include_plotlyjs='cdn'is set, the generated HTML now includes an integrity attribute with a SHA256 hash of the bundled plotly.js content. This provides enhanced security by ensuring the browser verifies the integrity of the CDN-served file.Code PR
plotly.graph_objects, my modifications concern thecodegenfiles and not generated files.modified existing tests.