subresource-integrity | 易学教程

SRI for Google Sign-In

阅读更多关于 SRI for Google Sign-In

问题 I have a requirement for a site, I need to set the Subresource Integrity (https://www.w3.org/TR/SRI/) for the Google sign-in functionality, can someone tell me if it's feasible or if the resource (https://apis.google.com/js/platform.js) changes and I need to use any version mechanism or workaround in order to implement the SRI. I've tried setting the hash generated in https://www.srihash.org/ and works fine but I don't know if this is going to continue working in the future: <script src=

Subresource integrity for es6 import or worker

阅读更多关于 Subresource integrity for es6 import or worker

来源： https://stackoverflow.com/questions/52636690/subresource-integrity-for-es6-import-or-worker

Subresource integrity for es6 import or worker

阅读更多关于 Subresource integrity for es6 import or worker

来源： https://stackoverflow.com/questions/52636690/subresource-integrity-for-es6-import-or-worker

Handling load error within subresource integrity check

阅读更多关于 Handling load error within subresource integrity check

问题 I'm implementing subresource integrity checks. I'd like to implement a fallback such that 1) the browsers loads from my CDN, performs the integrity check and carries on or 2) in the event of failing the integrity check, an embedded script launches and retrieves the needed script from my application server (resource under my control). I have a simple javascript which catches window.onerror events, but the script is actually detecting an uncaught ReferenceError (my page references a script

Edge17 - SEC7136 - The origin failed an integrity check for a resource

阅读更多关于 Edge17 - SEC7136 - The origin failed an integrity check for a resource

问题 In a jekyll website, I added a plugin (http://flexslider.woothemes.com/), everything is working fine upto Edge16 & below browsers, however, in Edge17, I see the console message: SEC7136: [Integrity] The origin '[insert url]' failed an integrity check for a style resource at '[url]' What is this error about? And how is the offending file, in this case, a CSS file, causing an integrity issue in Edge17 & not the previous version? Thanks 回答1: This is a known bug in 1803 Win10 release. You are

How to cryptographically verify web page requisites?

阅读更多关于 How to cryptographically verify web page requisites?

问题 How to cryptographically verify web page requisites in HTML? For example, if I have some external resource like an image, a style sheet or (most importantly) a script on a (potentially untrusted) content delivery network, is it possible to force the client browser to cryptographically verify the hash of the downloaded resource before usage? Is there some HTML attribute or URL scheme for this or does one manually have to write some JavaScript to do it? The rationale is that providing the

What is the purpose of the integrity attribute in HTML? [duplicate]

阅读更多关于 What is the purpose of the integrity attribute in HTML? [duplicate]

This question already has an answer here: What are the integrity and crossorigin attributes? 2 answers I was on bootstrap's site, and I recently noticed that their CDN links contained an integrity attribute with an SHA-384 key. <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script> I assume that is meant to be a way to verify the script source, but moreso I was wondering how it's used and if this is part of any spec? Furthermore, does this only work

What is the purpose of the integrity attribute in HTML? [duplicate]

阅读更多关于 What is the purpose of the integrity attribute in HTML? [duplicate]

问题 This question already has an answer here: What are the integrity and crossorigin attributes? 2 answers I was on bootstrap's site, and I recently noticed that their CDN links contained an integrity attribute with an SHA-384 key. <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script> I assume that is meant to be a way to verify the script source, but

Subresource Integrity in angularJS App which uses Require JS

阅读更多关于 Subresource Integrity in angularJS App which uses Require JS

问题 I have an angular application with below index.html file Consider in my index.html page I have the following code for SRI (SubResource Integrity) <html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'self' scripts/alert.js 'unsafe-inline' 'unsafe-eval' 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"> <script src="scripts/alert.js" integrity="sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=" crossorigin="anonymous"></script> </head> </html> In case, if I am

What are the integrity and crossorigin attributes?

阅读更多关于 What are the integrity and crossorigin attributes?

Bootstrapcdn recently changed their links. It now looks like this: <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet" integrity="sha256-MfvZlkHCEqatNoGiOXveE8FIwMzZg4W85qfrfIFBfYc= sha512-dTfge/zgoMYpP7QbHy4gWMEGsbsdZeCXz7irItjcC3sPUFtf0kuFbDz/ixG7ArTxmDjLXDmezHubeNikyKGVyQ==" crossorigin="anonymous"> What do the integrity and crossorigin attributes mean? How do they affect the loading of the stylesheet? jim.taylor.1974 Both attributes have been added to Bootstrap CDN to implement Subresource Integrity . Subresource Integrity defines a mechanism