Skip to content

Add SRI (Subresource Integrity) hash to CDN script tags #5165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add SRI (Subresource Integrity) hash to CDN script tags #5165

wants to merge 7 commits into from
+67 −6

Conversation

ddworken
Copy link

@ddworken ddworken commented May 2, 2025

When include_plotlyjs='cdn' is set, the generated HTML now includes an integrity attribute with a SHA256 hash of the bundled plotly.js content. This provides enhanced security by ensuring the browser verifies the integrity of the CDN-served file.

  • Added _generate_sri_hash() function to create SHA256 hashes
  • Modified CDN script tag generation to include integrity and crossorigin attributes
  • Added comprehensive tests to verify SRI functionality
  • Updated existing tests to account for new script tag format

Code PR

  • I have read through the contributing notes and understand the structure of the package. In particular, if my PR modifies code of plotly.graph_objects, my modifications concern the codegen files and not generated files.
  • I have added tests (if submitting a new feature or correcting a bug) or
    modified existing tests.
  • I have added a CHANGELOG entry if fixing/changing/adding anything substantial.
  • For a new feature or a change in behaviour, I have updated the relevant docstrings in the code to describe the feature or behaviour (please see the doc checklist as well).

ddworken and others added 7 commits May 2, 2025 11:27
@ddworken
Add SRI (Subresource Integrity) hash to CDN script tags
d0d449e 
When include_plotlyjs='cdn', the generated HTML now includes an integrity
attribute with a SHA256 hash of the bundled plotly.js content. This provides
enhanced security by ensuring the browser verifies the integrity of the
CDN-served file.

- Added _generate_sri_hash() function to create SHA256 hashes
- Modified CDN script tag generation to include integrity and crossorigin attributes
- Added comprehensive tests to verify SRI functionality
- Updated existing tests to account for new script tag format
@ddworken
Add CHANGELOG entry for SRI hash support
0c9e4df
@ddworken
Fix CI test in test_renderers.py to include integrity and crossorigin…
e4aadf2 
… attributes

Update test template to match actual output which now includes SRI integrity
attribute and crossorigin attribute for CDN script tags.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@ddworken
Fix whitespace issue in test_renderers.py
912733d 
Adjust whitespace after script tag to match actual output and fix CI failures.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@ddworken
Apply formatting fixes from linter
87a4e8f 
- Fix formatting in test_html.py
- Fix formatting in test_offline.py
- Fix formatting in _html.py

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@ddworken
Merge branch 'main' into add-sri-hash-to-cdn
ed01db9
@ddworken
Revert .gitignore changes
3aa6d25 
Removed the claude settings entry from .gitignore

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@ddworken ddworken marked this pull request as ready for review May 2, 2025 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ddworken