The reason of appearing
A lot of sites download resources from external origins (CDN), this allows site to reduce server loading and increase the speed of displaying the page to the user. If the attacker can compromise the CDN, and substitute origins for their own then all websites using this library will suffer.
does not apply restrictions on the
<script src=""> tag if its address is from an external origin,
Popular library Bootstrap allows developer to use an external CDN to connect.
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous" >
Subresource Integrity enter for tags
<link> two new attributes are
integrity is hash of the contents of the downloaded file. Web browser loads the
file, calculates for it, hash compares with the value of the attribute integrity. If the values are different,
the code is not included on the page and is not executed. Currently supported sha256, sha384, sha512 hash
functions. To compute the hash, you can run the following command
cat FILENAME.js | openssl dgst -sha384 -binary | openssl enc -base64 -Aor use website SRI Hash Generator.
crossorigin - initiates CORS request,
containing the Origin header to check access to the resource. The server must send the
Access-Control-Allow-Originheader in response, indicating the origins that are allowed access. The attribute is mandatory when specifying integrity and can take two values:
- anonymous - CORS request is executed without transmitting session information (Cookie, X.509 certificate, HTTP Basic Authentication).
- use-credentials - CORS request is executed with the transmission of session information (Cookie, X.509 certificate, HTTP Basic Authentication).