Update: I had disabled the use of Google Fonts with a plugin, but if I enable it, then wp-sri does produce a hash for the Google Fonts css file.
Thank you for the response and the references. I may have thrown you off the track with my mention of Google fonts. Whether I disable Google Fonts or not, the other js and css files (e.g., my theme’s style.css file) are not given hashes. I only mentioned my experience with Google fonts as a way of saying that the plugin itself seems to be working (because it generates a hash for Google fonts), but that for a reason I don’t understand it isn’t generating hashes for any of my other scripts or stylesheets.
Thank you again! I hope I am describing the issue in a way that is useful, but if not, please let me know.
Plugin Author
Meitar
(@meitar)
I’m sorry, I understand you don’t need to answer questions, and I appreciate you doing so. But with respect, I read both of these references, as well as the Google Fonts reference, before posing my question, and none of them have to do with my case as far as I can tell. I use HTTPS, not HTTP. The resources in question are not served by the same server as the page that contains them. Perhaps some of my plugins or my theme don’t use the WP API, but I’m using a default theme (twenty-thirteen) and very widely used plugins (e.g., Contact Form 7), so it is surprising to me that none of the js or css files have hashes attached to them.
You have marked this as resolved, so please do not feel that you need to reply further.
Plugin Author
Meitar
(@meitar)
But with respect, I read both of these references, as well as the Google Fonts reference, before posing my question, and none of them have to do with my case as far as I can tell.
This was unclear. Thanks for clarifying.
I’m using a default theme (twenty-thirteen) and very widely used plugins (e.g., Contact Form 7), so it is surprising to me that none of the js or css files have hashes attached to them.
The Twenty Thirteen Theme is, of course, from 2013, which is considered very old. Regardless, its resources such as stylesheets and such should be served from your same site, meaning that the integrity attributes are not added, intentionally. Likewise, Contact Form 7 and many other well-written plugins bundle their resources with the plugin itself, which also means that those resources will not include integrity attributes, either.
It may simply be the case that your page does not actually meet the criteria for SRI to be useful, in which case the plugin does not modify your output, by design.
If you can point at a specific resource you’re confused about, and if you can verify that it is in fact added to WordPress via the WordPress Plugin API hooks, I’ll happily take a closer look. But I haven’t the available resources to hunt for such an example on your site.
Good luck!
