Always use HTTPS for CDN files (#498)

adamchainz · jkimbo · commit ea2cd9894fa1 · 2019-03-19T20:34:10.000Z
* Always use HTTPS for CDN files

There's no point using insecure, deprecated HTTP even if the current page is on HTTP.

* add integrity and crossorigin attributes
diff --git a/graphene_django/templates/graphene/graphiql.html b/graphene_django/templates/graphene/graphiql.html
@@ -17,11 +17,20 @@
       width: 100%;
     }
   </style>
-  <link href="//cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.css" rel="stylesheet" />
-  <script src="//cdn.jsdelivr.net/npm/whatwg-fetch@2.0.3/fetch.min.js"></script>
-  <script src="//cdn.jsdelivr.net/npm/react@16.2.0/umd/react.production.min.js"></script>
-  <script src="//cdn.jsdelivr.net/npm/react-dom@16.2.0/umd/react-dom.production.min.js"></script>
-  <script src="//cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.min.js"></script>
+  <link href="https://cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.css"
+        rel="stylesheet"
+        crossorigin="anonymous" />
+  <script src="https://cdn.jsdelivr.net/npm/whatwg-fetch@2.0.3/fetch.min.js"
+          integrity="sha384-dcF7KoWRaRpjcNbVPUFgatYgAijf8DqW6NWuqLdfB5Sb4Cdbb8iHX7bHsl9YhpKa"
+          crossorigin="anonymous"></script>
+  <script src="https://cdn.jsdelivr.net/npm/react@16.2.0/umd/react.production.min.js"
+          integrity="sha384-j40ChW3xknV2Dsc9+kP3/6SW2UrR7gYSbx9pmyNU1YTacm/PEj/0bxB9vM8jWFqx"
+          crossorigin="anonymous"></script>
+  <script src="https://cdn.jsdelivr.net/npm/react-dom@16.2.0/umd/react-dom.production.min.js"
+          integrity="sha384-P4XM5fEtXj1kXZzsm1EOHZ7HmQIuzyRjjvX4na21R4eRLjmm+oUZua5ALb2PIojw"
+          crossorigin="anonymous"></script>
+  <script src="https://cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.min.js"
+          crossorigin="anonymous"></script>
 </head>
 <body>
   <script src="{% static 'graphene_django/graphiql.js' %}"></script>
