phaser.min.js: Inclusion of functionality from an untrusted source #398#399
phaser.min.js: Inclusion of functionality from an untrusted source #398#399BaseMax wants to merge 9 commits intoNextCommunity:mainfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Phaser library script tag in src/index.njk to include Subresource Integrity (SRI) attributes. A critical issue was identified regarding the version number 3.90.0, which appears to be invalid on cdnjs and will likely result in a 404 error and script failure.
There was a problem hiding this comment.
Pull request overview
Adds Subresource Integrity (SRI) metadata to the Phaser CDN script include on the main index page to mitigate risk from loading third‑party JS.
Changes:
- Add
integrityandcrossorigin="anonymous"attributes to the Phaser<script>tag insrc/index.njk.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/index.njk
Outdated
| <title>Developer Directory</title> | ||
| <script src="https://cdn.tailwindcss.com"></script> | ||
| <script src="https://cdnjs.cloudflare.com/ajax/libs/phaser/3.90.0/phaser.min.js"></script> | ||
| <script src="https://cdnjs.cloudflare.com/ajax/libs/phaser/3.90.0/phaser.min.js" integrity="sha384-AvQiDMZAVLda3VtAoU5MCfBz8pzXhteb2CiUJeKBmPlWzpXj1uJ96Km11+YuFNu/" crossorigin="anonymous"></script> |
There was a problem hiding this comment.
This adds SRI for Phaser on the index page, but Phaser is still loaded from the same CDN without an integrity/crossorigin attribute in src/_includes/bio.njk (line 8). If the goal of this PR is to address untrusted third‑party script inclusion, the same mitigation needs to be applied consistently anywhere Phaser is included; otherwise the issue remains for profile/bio pages.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
No description provided.