Subresource integrity

Often, scripts from third party providers are used. For example, your HTML head may look like this:

<head>
<script src="https://code.jquery.com/jquery-3.4.1.min.js" crossorigin="anonymous"></script>
<script src='https://www.google-analytics.com/analytics.js'></script>
</head>

In case the servers hosting these JavaScript libraries are compromised, all webites using this library will run malicious scripts.

Protecting third party resources

Subresource Integrity allows web developers to ensure that resources hosted on third-party servers have not been tampered with. Always try to use SRI whenever libraries are loaded from a third-party source. The idea is simple, instead of using the following script reference:

<script src="https://code.jquery.com/jquery-3.4.1.min.js" crossorigin="anonymous"></script>

You should use the following:

<script src="https://code.jquery.com/jquery-3.4.1.min.js" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script>

This latter reference has an integrity attribute (integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=) which basically is a hash of the JQuery script. In case an attacker is able to modify the JQuery script, your browser will not load it anymore since the browser will verify that the hash of the JQuery script equals the value of the integrity attribute.

Source attribution

Some parts of this page are based on the Third Party Javascript Management Cheat Sheet, which is licensed under FLOSS.

PreviousContent Security Policy NextSandboxing

Last updated 2 years ago