Bug 148363 - Implement Subresource Integrity (SRI)
: Implement Subresource Integrity (SRI)
Status: NEW
Product: WebKit
Classification: Unclassified
Component: WebKit Misc.
: WebKit Nightly Build
: Unspecified Unspecified
: P2 Normal
Assigned To: Nobody
Depends on:
  Show dependency treegraph
Reported: 2015-08-22 18:21 PDT by Michael[tm] Smith
Modified: 2017-02-01 12:22 PST (History)
8 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Michael[tm] Smith 2015-08-22 18:21:49 PDT
The SRI specification "defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation" using a validation scheme and "extending several HTML elements with an integrity attribute that contains a cryptographic hash of the representation of the resource the author expects to load." http://w3c.github.io/webappsec/specs/subresourceintegrity/

Example: If a document loads some JavaScript library code from a shared server at https://example.com/example-framework.js rather than from the same own origin as the document, the document can specify the expected SHA-256 hash of https://example.com/example-framework.js (e.g., C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=) and the UA, before executing the JavaScript, can verify that the data matches that expected hash.

<script src="https://example.com/example-framework.js"

The mechanism can also be used for resources loaded through <link> elements.

As far as support in other UAs, Chrome has supported Subresource Integrity since v45, and Firefox has since v43. https://developer.mozilla.org/en/docs/Web/HTML/Element/script#Browser_compatibility
Comment 1 Michael[tm] Smith 2016-06-27 02:03:44 PDT
Subresource Integrity is now a final W3C Recommendation https://www.w3.org/TR/SRI/
Comment 2 Barrett Harber 2016-12-19 13:12:47 PST
+1 for this