Subresource Integrity

Subresource Integrity (SRI) is a security mechanism that allows you to verify that a resource (Javascript, CSS) from an external origin has not been compromised.

The reason of appearing

A lot of sites download resources from external origins (CDN), this allows site to reduce server loading and increase the speed of displaying the page to the user. If the attacker can compromise the CDN, and substitute origins for their own then all websites using this library will suffer.

Same-origin policy does not apply restrictions on the <script src=""> tag if its address is from an external origin, hence, Javascript gets full access to the connected page including Cookie.

Description

Popular library Bootstrap allows developer to use an external CDN to connect.

<link
    rel="stylesheet"
    href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
    integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
    crossorigin="anonymous"
>

Subresource Integrity enter for tags <script> and <link> two new attributes are

  • integrity is hash of the contents of the downloaded file. Web browser loads the file, calculates for it, hash compares with the value of the attribute integrity. If the values are different, the code is not included on the page and is not executed. Currently supported sha256, sha384, sha512 hash functions. To compute the hash, you can run the following command cat FILENAME.js | openssl dgst -sha384 -binary | openssl enc -base64 -A or use website SRI Hash Generator.
  • crossorigin - initiates CORS request, containing the Origin header to check access to the resource. The server must send the Access-Control-Allow-Origin header in response, indicating the origins that are allowed access. The attribute is mandatory when specifying integrity and can take two values:
    • anonymous - CORS request is executed without transmitting session information (Cookie, X.509 certificate, HTTP Basic Authentication).
    • use-credentials - CORS request is executed with the transmission of session information (Cookie, X.509 certificate, HTTP Basic Authentication).

  Explore Сross Site Request Forgery →