Subresource Integrity warning for scripts with data-uri
exyi opened this issue · 0 comments
exyi commented
I get this warning: "Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//...", even though the only script on my page is:
<script src="data:text/javascript;base64,YWxlcnQoMSkK" type=text/javascript></script>
This is the website I tested it on: https://observatory.mozilla.org/analyze/exyi.cz
I don't want to stop using the base64 inline scripts - it allows them to have defer
attribute and provides less opportunities for exploitation JSON encoded data in the script by injecting </script>
in a string