Login/Register
Subresource Integrity on CSS-included fonts over CDN (e.g. font-awesome)
Asked Answered
htmlcssfontssubresource-integrity
A

1

10

How would one employ SRI for resources included by a .css file included over a CDN.

For example, if you include this in your HTML:

<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous">

This will load fonts included via the CSS, such as url('../fonts/fontawesome-webfont.woff2?v=4.7.0') Of course, these fonts could be tampered with, to take advantage of some untold browser exploit, so it makes sense to force hash checking in them, too.

How can one tell a browser to perform the SRI-hash of the fontawesome-webfont.* files that are loaded via the .css?

Note: It looks like sub-sub-resource hashes are not yet supported, though I'm not sure if that's the latest.

Arvizu answered 3/1, 2017 at 16:17 Comment(1)
Note that font CDNs may deliberately vary the CSS and fonts in ways that prevent assigning a static hash: github.com/google/fonts/issues/473Ulrich
D
0

As far as I'm aware, subresources of resources that have a valid integrity and CORS header shouldn't need anything more. At least, that seems to be the case with CSP enforced on Opera.

Dyeing answered 30/12, 2017 at 20:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.