update cdn links

[gdw2]

jsdelivr.net has updated their url scheme. The old style only has graphiql through version 0.10.x, but the new style supports through the latest (0.11.10 as of today).

[HeyHugo]

I need this 🙏
Having history pane in graphiql with newer versions is great.

[simonclouds]

@HeyHugo Dose the new version contain this history button? I use 1.4.1, but no.

[HeyHugo]

@simonclouds You can pass an argument graphiql_version to the graphql view to request a specific version. Currently I've modified my local flask-graphql with this PR so when I register my endpoint for graphql with graphiql it looks like this:

graphql_api = Blueprint('graphql', __name__)

graphql_api.add_url_rule(
    '/graphql',
    view_func=GraphQLView.as_view(
        'graphql',
        schema=schema,
        graphiql=True,
        graphiql_version='latest'
    )
)

And I get the latest version of graphiql

[simonclouds]

@HeyHugo Thanks a lot ! I just found that too in graphene_django.views when I looked into a django project, and I found the follow

class GraphQLView(View):
    graphiql_version = '0.10.2'
    graphiql_template = 'graphene/graphiql.html'

    schema = None
    graphiql = False
    executor = None
    middleware = None
    root_value = None
    pretty = False
    batch = False

after give the graphiql_version = '0.10.2' , I get the history button.

[nfisher]

From a security perspective I think it would be good to include Subresource Integrity/SRI in the tags. An example of the risk that SRI helps prevent is JS crypto-miners among other attacks where the CDN and/or publisher has been compromised;
https://www.wordfence.com/blog/2018/02/cryptomining-javascript-supply-chain-attack/

As a result I think it's probably easier to maintain through copy-pasting the whole tag rather than templating the version. cdnjs as an example provides a "link with SRI" copy facility for most assets.

[nfisher]

Include SRI tags in CDN links.

[nfisher]

Suggest changing these tags to;

<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/graphiql/0.11.11/graphiql.min.css" integrity="sha256-gSgd+on4bTXigueyd/NSRNAy4cBY42RAVNaXnQDjOW8=" crossorigin="anonymous" />
<script src="https://cdnjs.cloudflare.com/ajax/libs/fetch/1.1.1/fetch.min.js" integrity="sha256-TQsP3yTWwfvm6Auy90oBeVhYhGZuKa1jRM3vpnQpX+8=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.2/react.min.js" integrity="sha256-c/17te7UpABi7+wcIHAAiIMOrNMVcTIzoxtRTDoYB4s=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react-dom/15.6.2/react-dom.min.js" integrity="sha256-Xhtg7QJuNhwB5AzaUcgr0iqNtCitzN+c/6k5/SOtENU=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/graphiql/0.11.11/graphiql.min.js" integrity="sha256-oeWyQyKKUurcnbFRsfeSgrdOpXXiRYopnPjTVZ+6UmI=" crossorigin="anonymous"></script>

[MartinKolarik]

No need to change the CDN, you can add the integrity attribute to any existing link.

[nfisher]

¯\(ツ)/¯
As long as it has the integrity attribute. CDN JS made it easy to get the tag with SRI using the "Copy with SRI" link.

As an example hover an asset and click the down arrow;
https://cdnjs.com/libraries/react/15.6.2