Skip to content

Add SRI hash to the Redoc CDN script in docs/index.html#44

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/elegant-edison-wtn31u
Open

Add SRI hash to the Redoc CDN script in docs/index.html#44
dmchaledev wants to merge 1 commit into
mainfrom
claude/elegant-edison-wtn31u

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

  • docs/index.html loads Redoc from jsdelivr (redoc@2.5.3/bundles/redoc.standalone.js) with no Subresource Integrity check. If the CDN (or the pinned package release) were ever compromised, arbitrary JS could run on our public API docs page unnoticed — the same class of supply-chain risk HailBytes ASM flags for customers.
  • Adds a sha384 integrity attribute plus crossorigin="anonymous" to the <script> tag, so the browser refuses to execute the file if its bytes ever don't match this exact pinned version.
  • The hash was computed directly from the file served at that exact versioned URL and cross-checked against jsdelivr's own published file hash for the 2.5.3 release — they match.

Test plan

  • Verified sha256 of the downloaded redoc.standalone.js matches jsdelivr's own published hash for redoc@2.5.3 (confirms the correct bytes were hashed).
  • Computed the sha384 SRI value from the same file for the integrity attribute.
  • Confirm the GitHub Pages docs site (ASM/SAT tabs) still renders after merge — no other change was made to the page.

🤖 Generated with Claude Code

https://claude.ai/code/session_012noANQjQLjeAESfbo89RoL


Generated by Claude Code

The public API docs page loads redoc.standalone.js from jsdelivr with no
subresource-integrity check, so a CDN compromise could silently inject
arbitrary JS into a HailBytes-branded page — the kind of supply-chain
exposure our own ASM product flags for customers. Pin the script with a
sha384 integrity hash (verified against jsdelivr's own published hash for
the pinned 2.5.3 build) plus crossorigin="anonymous".

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012noANQjQLjeAESfbo89RoL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants