{{ message }}
Add SRI (Subresource Integrity) hash to CDN script tags#5165
Merged
Conversation
When include_plotlyjs='cdn', the generated HTML now includes an integrity attribute with a SHA256 hash of the bundled plotly.js content. This provides enhanced security by ensuring the browser verifies the integrity of the CDN-served file. - Added _generate_sri_hash() function to create SHA256 hashes - Modified CDN script tag generation to include integrity and crossorigin attributes - Added comprehensive tests to verify SRI functionality - Updated existing tests to account for new script tag format
… attributes Update test template to match actual output which now includes SRI integrity attribute and crossorigin attribute for CDN script tags. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Adjust whitespace after script tag to match actual output and fix CI failures. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Fix formatting in test_html.py - Fix formatting in test_offline.py - Fix formatting in _html.py 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Removed the claude settings entry from .gitignore 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
Author
gvwilson
added
feature
Contributor
|
@marthacryan @T4rk1n well beyond what I understand about safety on the web - please have a look at some point and comment. thanks - @gvwilson |
Contributor
Author
|
Thanks! Let me know if there is anything I can help explain about this. The key bit is this helps ensure that the generated HTML can include JS from the CDN while defending against security risks of the CDN getting compromised. Essentially the best of both worlds: The small file size of the |
T4rk1n
reviewed
May 9, 2025
gvwilson
added
P1
Contributor
Author
|
@T4rk1n would you be willing to take another look at this? |
Contributor
Author
|
Gentle ping :) Let me know if there is anything I can do to help get this landed. |
Contributor
Author
|
Hello! Are you willing to take another look at this PR? |
Contributor
camdecoster
reviewed
Jun 10, 2025
T4rk1n
approved these changes
Jun 11, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When
include_plotlyjs='cdn'is set, the generated HTML now includes an integrity attribute with a SHA256 hash of the bundled plotly.js content. This provides enhanced security by ensuring the browser verifies the integrity of the CDN-served file.Code PR
plotly.graph_objects, my modifications concern thecodegenfiles and not generated files.modified existing tests.