Currently this module uses an external script //platform.instagram.com/en_US/embeds.js without any Integrity attribute.
SRI hash attributes are used for security purpose to mitigate the risk of any arbitrary script tampering from outside attackers. More info available at SRI docs.
Now, SRI attribute can be added to scripts that use a specific version, since if the script gets updated by the maintainer for some feature enhancement or fixing bugs, the old SRI hash value won't work anymore. We will need to update the integrity attribute every time the script gets updated. That is very tedious and not maintainable in the long run. So we should only implement integrity attributes in external scripts that is a specific version of the script. Example: https://code.jquery.com/jquery-3.6.0.min.js is a versioned script having 3.6.0 version. If tomorrow maintainer finds any issue with the script, they won't be changing this script but release a new 3.6.1 version of the script fixing the issue. The 3.6.0 version script would still be available and remain unchanged, so any site using 3.6.0 script won't need to update their Integrity hash value and it would still work fine.
Now the remote script this module uses does not seem like a specific version script and we can't add any integrity attribute in our libraries definition for this script. We should contact the script maintainer to check if they provide any script with a specific version. If they do, we should use that script in our libraries definition with an integrity attribute, instead of current one.
1. Contact the script maintainer to check if they provide a specific version script
2. If they do, use that script with integrity attribute in libraries definition instead of current one.
3. If they don't support versions, then our hands will be tied and no changes would be required as of now.
Comments