Support SRI for the plausible.js tracker

[ukutaht]

[Vigasaurus]

How would we want to handle versioning for the tracker script here? Would we introduce a proper versioning system such that we'd just publish the hashes for specific versions? And similarly for the different script types?

I honestly think that with the nature of the script and the versions (hash, outbound etc, not actual revisions) of it available, proper SRI is difficult to do well without forcing lots of overhead on users to update script versions when it changes and update the SRI hash anytime they want to change script type or version.

If there's a different idea of how to do this well that'd be cool, but I think SRI is unsuitable for plausible in its current state. The potential volatility and need for user intervention anytime there's an important tracker script change (think vulnerability or similar) without the fear of losing valuable analytics data due to SRI failing is a bad tradeoff.

[ukutaht]

Hmm yeah that's a valid point. At this point it's so useful to be able to push an update and have it take effect once everyone's browser cache expires. I agree that adding an SRI is not practical at the moment.

[KasparEtter]

I've deployed Plausible with SRI. Please notify me here or through another mean, such as a mailing list, when you change the served script. I would prefer it, though, if I could reference a versioned script from you in order to have more time to upgrade the version and the hash. The versioning can be optional for those who want SRI. Being able to use SRI is another nice differentiator of Plausible Analytics over Google Analytics. (I have no problem with hosting the script myself, but I would still need a way to be informed when a newer version is available.)

[budparr]

I agree with this 100%. Would be great to have versioning for those who want SRI!

[sandstrom]

Here is a related discussion:
#2414

I think plausible should turn the tracker into a versioned library. That library can then be used via either NPM (avoiding adblockers) or via a wrapper script (<script tag) just like today.

[engern]

An old discussion, but are there any updates on this? We're also looking to add SRI to our Plausible script. Would it be a good idea to download the script and host it on our own server?