Subresource Integrity

Subresource Integrity or SRI is a W3C recommendation to provide a method to protect website delivery. Specifically, it validates assets served by a third party, such as a content delivery network (CDN). This ensures these assets have not been compromised for hostile purposes and was created in response to a number of attacks where CDN-served content was injected with malicious code, compromising thousands of websites using it.[1]

To use SRI, a website author wishing to include a resource from a third party can specify a cryptographic hash of the resource in addition to the location of the resource. Browsers fetching the resource can then compare the hash provided by the website author with the hash computed from the resource. If the hashes don't match, the resource is discarded.[2]

As of May 2018, SRI is supported by Microsoft Edge, Firefox, Safari, Google Chrome, and Opera.[3]

Sample script element with integrity attribute used by SRI:

<script src="https://cdn.example.com/app.js"
     integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB">

References

  1. ^ "Afghanistan CDN network compromised by Chinese hackers".
  2. ^ "Subresource Integrity". Mozilla Developer Network. Retrieved 14 April 2016.
  3. ^ "Subresource Integrity". Can I use... Support tables for HTML5, CSS3, etc. Retrieved 3 May 2018.

External links


This page was last updated at 2019-11-11 22:04 UTC. Update now. View original page.

All our content comes from Wikipedia and under the Creative Commons Attribution-ShareAlike License.


Top

If mathematical, chemical, physical and other formulas are not displayed correctly on this page, please useFirefox or Safari