Subresource integrity (SRI) implementation

If an attacker exploited a content delivery network (CDN) and modified the contents of JavaScript libraries hosted on that CDN, it would create vulnerabilities in all websites that use those libraries.

For example, JavaScript hosted on library.org that is loaded from example.org can access the entire contents of example.org. If an attacker modifies that hosted JavaScript to include malicious code, it could alter download links, deface the site, steal credentials, cause denial-of-service (DoS) attacks, and so on.

Use SRI to lock an external JavaScript resource to its known contents at a specific point in time. This is verified by a base64-encoded cryptographic hash. Specify this hash in the integrity attribute when you load the resource.

If the file is modified after this point, the hash won't match, and supporting web browsers will refuse to load it.

SRI should be used when loading external JavaScript or stylesheet resources. The resources should be loaded over HTTPS.

Note that CDNs must use Cross-Origin Resource Sharing (CORS) by setting the Access-Control-Allow-Origin header.

Load jQuery 2.1.4 from its CDN:

<script
  src="https://code.jquery.com/jquery-2.1.4.min.js"
  integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC"
  crossorigin="anonymous"></script>

Load AngularJS 1.4.8 from its CDN:

<script
  src="https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js"
  integrity="sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp"
  crossorigin="anonymous"></script>

Generate a hash yourself:

$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \
    openssl dgst -sha384 -binary | \
    openssl base64 -A

r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp

• <link>
• <script>
• SRI Hash Generator on srihash.org: Generates the required <script> elements for you, and informs you if the CDN lacks CORS support.