Skip to content

Add toast notification script #945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
codycooperross wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add toast notification script #945

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions app/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
<link integrity="" rel="stylesheet" type="text/css" href="{{rootURL}}assets/bracco.css">

<script defer data-domain="doi.datacite.org" src="https://plausible.io/js/script.js"></script>
<script id="datacite-toasts" data-site="fabrica" src="https://assets.datacite.org/javascripts/toast_notifications.js" async></script>
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine app/index.html
find . -name "index.html" -path "*/app/*" | head -5

Repository: datacite/bracco

Length of output: 75

🏁 Script executed:

# Check the content around line 23
if [ -f "app/index.html" ]; then
  sed -n '15,30p' app/index.html | cat -n
fi

Repository: datacite/bracco

Length of output: 1068

🏁 Script executed:

# Test accessibility and headers of the external script
curl -sSI "https://assets.datacite.org/javascripts/toast_notifications.js" 2>&1 | head -20

Repository: datacite/bracco

Length of output: 519

🏁 Script executed:

# Compute SRI hash if accessible
curl -sSL "https://assets.datacite.org/javascripts/toast_notifications.js" 2>&1 | head -c 500

Repository: datacite/bracco

Length of output: 559

🏁 Script executed:

# Compute the actual SRI hash for the script
curl -sSL "https://assets.datacite.org/javascripts/toast_notifications.js" | openssl dgst -sha384 -binary | openssl base64 -A

Repository: datacite/bracco

Length of output: 201

🏁 Script executed:

# Compute SRI hash using Python
python3 << 'EOF'
import hashlib
import base64
import urllib.request

url = "https://assets.datacite.org/javascripts/toast_notifications.js"
try:
    with urllib.request.urlopen(url) as response:
        content = response.read()
    
    # Compute SHA384
    sha384_hash = hashlib.sha384(content).digest()
    sri_hash = base64.b64encode(sha384_hash).decode('utf-8')
    
    print(f"sha384-{sri_hash}")
    print(f"Script size: {len(content)} bytes")
except Exception as e:
    print(f"Error: {e}")
EOF

Repository: datacite/bracco

Length of output: 193

Add integrity protection and crossorigin attribute for the remote script include.

Line 23 loads executable code from a mutable URL without integrity and crossorigin attributes. The asset is served from S3/CloudFront with version tracking but lacks cache-control directives for immutable versioning, allowing unintended upstream script changes to reach clients.

Add integrity with a Subresource Integrity (SRI) hash and crossorigin="anonymous":

Suggested hardening change 
-  <script id="datacite-toasts" data-site="fabrica" src="https://assets.datacite.org/javascripts/toast_notifications.js" async></script>
+  <script id="datacite-toasts" data-site="fabrica" src="https://assets.datacite.org/javascripts/toast_notifications.js" integrity="sha384-<hash>" crossorigin="anonymous" async></script>

Compute the hash with:

curl -sSL "https://assets.datacite.org/javascripts/toast_notifications.js" | openssl dgst -sha384 -binary | openssl base64 -A
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@app/index.html` at line 23, The external script tag with id "datacite-toasts"
(src="https://assets.datacite.org/javascripts/toast_notifications.js") lacks
Subresource Integrity and CORS attributes; compute the SHA-384 SRI hash for that
exact file (e.g., via the provided curl | openssl command), then update the
script element to include integrity="sha384-<computed_hash>" and
crossorigin="anonymous" so the browser can verify the file and fetch it
anonymously.


<script>
window.MathJax = {
Expand Down