问题
I am dynamically loading my JavaScript as a "plugin" on a third party's page and would like to verify that it's coming from me.
I can use the content SRI, however I update the library frequently and need it to be dynamically loaded.
Below is an example of what I'd like to see. Is there a way I can achieve this?
const publickey = '...my-key...'
const response = await fetch('https://example.com/my-library.js')
const sig = response.headers.get('X-Signature')
const text = await response.text()
try {
validate(text, sig, publicKey)
const s = document.createElement('script')
s.innerHTML = text
document.head.appendChild(s)
} catch(err) {
console.error("")
}
来源:https://stackoverflow.com/questions/63107226/is-it-possible-to-validate-my-javascript-library-using-a-public-private-key-sign