Thank you for reminding me that fixing this has been on my list <https://github.com/roysmith/spi-tools/issues/4> for a while. My CSP-fu is weak. As I understand it, all I need do is:
<!-- Bootstrap CSS --> <link rel="stylesheet" - href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"; - integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" - crossorigin="anonymous"> + href="https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css"; + integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"> and similar changes for the other linked-to resources. Two specific questions: The integrity token is the same, no matter which mirror I get it from? I can drop the crossorigin attribute since I'm not doing CORS any more? > On Jun 23, 2020, at 3:06 PM, MusikAnimal <[email protected]> wrote: > > The Content Security Policy violations are report-only, if that's what you're > referring to. Popper, Bootstrap, jQuery and Selectize are all available via > https://cdnjs.toolforge.org/ <https://cdnjs.toolforge.org/> which will get > around the CSP directive. For fonts you could try > https://fontcdn.toolforge.org/ <https://fontcdn.toolforge.org/> > > ~ MA
_______________________________________________ Wikimedia Cloud Services mailing list [email protected] (formerly [email protected]) https://lists.wikimedia.org/mailman/listinfo/cloud
