subresource-integrity

SRI for Google Sign-In

China☆狼群 提交于 2021-01-28 01:16:49
问题 I have a requirement for a site, I need to set the Subresource Integrity (https://www.w3.org/TR/SRI/) for the Google sign-in functionality, can someone tell me if it's feasible or if the resource (https://apis.google.com/js/platform.js) changes and I need to use any version mechanism or workaround in order to implement the SRI. I've tried setting the hash generated in https://www.srihash.org/ and works fine but I don't know if this is going to continue working in the future: <script src=

Handling load error within subresource integrity check

时光毁灭记忆、已成空白 提交于 2019-12-12 13:08:55
问题 I'm implementing subresource integrity checks. I'd like to implement a fallback such that 1) the browsers loads from my CDN, performs the integrity check and carries on or 2) in the event of failing the integrity check, an embedded script launches and retrieves the needed script from my application server (resource under my control). I have a simple javascript which catches window.onerror events, but the script is actually detecting an uncaught ReferenceError (my page references a script

Edge17 - SEC7136 - The origin failed an integrity check for a resource

笑着哭i 提交于 2019-12-11 03:13:43
问题 In a jekyll website, I added a plugin (http://flexslider.woothemes.com/), everything is working fine upto Edge16 & below browsers, however, in Edge17, I see the console message: SEC7136: [Integrity] The origin '[insert url]' failed an integrity check for a style resource at '[url]' What is this error about? And how is the offending file, in this case, a CSS file, causing an integrity issue in Edge17 & not the previous version? Thanks 回答1: This is a known bug in 1803 Win10 release. You are

How to cryptographically verify web page requisites?

荒凉一梦 提交于 2019-12-08 08:14:36
问题 How to cryptographically verify web page requisites in HTML? For example, if I have some external resource like an image, a style sheet or (most importantly) a script on a (potentially untrusted) content delivery network, is it possible to force the client browser to cryptographically verify the hash of the downloaded resource before usage? Is there some HTML attribute or URL scheme for this or does one manually have to write some JavaScript to do it? The rationale is that providing the

What is the purpose of the integrity attribute in HTML? [duplicate]

笑着哭i 提交于 2019-11-29 07:21:27
This question already has an answer here: What are the integrity and crossorigin attributes? 2 answers I was on bootstrap's site, and I recently noticed that their CDN links contained an integrity attribute with an SHA-384 key. <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script> I assume that is meant to be a way to verify the script source, but moreso I was wondering how it's used and if this is part of any spec? Furthermore, does this only work

What is the purpose of the integrity attribute in HTML? [duplicate]

冷暖自知 提交于 2019-11-27 18:00:23
问题 This question already has an answer here: What are the integrity and crossorigin attributes? 2 answers I was on bootstrap's site, and I recently noticed that their CDN links contained an integrity attribute with an SHA-384 key. <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script> I assume that is meant to be a way to verify the script source, but

Subresource Integrity in angularJS App which uses Require JS

别来无恙 提交于 2019-11-27 04:46:44
问题 I have an angular application with below index.html file Consider in my index.html page I have the following code for SRI (SubResource Integrity) <html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'self' scripts/alert.js 'unsafe-inline' 'unsafe-eval' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"> <script src="scripts/alert.js" integrity="sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=" crossorigin="anonymous"></script> </head> </html> In case, if I am

What are the integrity and crossorigin attributes?

我的梦境 提交于 2019-11-26 18:03:37
Bootstrapcdn recently changed their links. It now looks like this: <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet" integrity="sha256-MfvZlkHCEqatNoGiOXveE8FIwMzZg4W85qfrfIFBfYc= sha512-dTfge/zgoMYpP7QbHy4gWMEGsbsdZeCXz7irItjcC3sPUFtf0kuFbDz/ixG7ArTxmDjLXDmezHubeNikyKGVyQ==" crossorigin="anonymous"> What do the integrity and crossorigin attributes mean? How do they affect the loading of the stylesheet? jim.taylor.1974 Both attributes have been added to Bootstrap CDN to implement Subresource Integrity . Subresource Integrity defines a mechanism