Merge pull request #2 from KindSpells/improve-sri-for-external-files

feat!: improve sri support for "external" files
kindspells · Feb 11, 2024 · a51dcd5 · a51dcd5
2 parents ac88392 + 7e37959
commit a51dcd5
Show file tree

Hide file tree

Showing 4 changed files with 238 additions and 81 deletions.
diff --git a/README.md b/README.md
@@ -54,9 +54,6 @@ export default defineConfig({
 
 ## Known limitations
 
-- For now, the SRI hashes calculation is done only for inlined resources. This
-  will be solved in future releases.
-
 - For now, this integration only works for generated static content (the
   exported subresource integrity hashes could be used in dynamic contexts, but
   that does not cover the whole SSG use case)
@@ -65,6 +62,14 @@ export default defineConfig({
   that if you need them to be up to date when you run `astro dev`, then you will
   have to manually run `astro build`.
 
+- It seems that when a script is loaded with a _static_ import rather than
+  directly included with a `<script>` tag, having its hash present in the
+  `script-src` directive is not enough to ensure that the browser will accept
+  it.
+  
+  This means that, for now, it is advisable to add `'self'` to the `script-src`
+  directive (adding `'strict-dynamic'` does not help either).
+
 ## License
 
 This library is released under [MIT License](LICENSE).