Necessary with Decentraleyes?
Closed this issue · 4 comments
Using the test page, my browser isn't vulnerable to any of the attacks with Decentraleyes running. Does it provide the same protection as this addon, or does it simply happen to be providing protection in this particular instance, but there are other cases where it won't protect while this addon would?
Decentraleyes seems to have a problem loading jQuery on my site. I'm loading it through Google's CDN using an SRI hash. For some reason the version of jQuery Google serves up is slightly different than the one that is served by Decentraleyes and the SRI check causes it to be blocked. In any case, without jQuery the vulnerability testing page doesn't work properly.
Another person raised this issue as well. I might just move to self hosting jQuery to avoid the SRI mismatch.
So if I'm understanding you correctly, the only reason I'm "protected" from your test by Decentraleyes is because it's using a different script, but that may not always be the case, which means your addon would in fact add protection beyond what Decentraleyes does. Is that correct? I'm all for locking things down, I just don't want unnecessary redundancy.
The issue is that Decentraleyes breaks on the SRI check my website was using to include jQuery. I just pushed out an update that includes the jQuery library locally and removes the SRI check. So, you will see that the page should report you as vulnerable until you install the CSS Protection plugin.
That did it. Thanks!