Page 1 of 1

Subresource Integrity and the integrity attribute

Posted: Mon Jul 18, 2016 7:50 pm
by Albert Wiersch
Did you know that there's an "integrity" attribute for "script" and "link" elements and it's supported by Chrome and Firefox?

CSE HTML Validator v17 (not yet released) will support this attribute and perform several checks on it while the latest config file for v16 now recognizes this attribute (but doesn't check it as thoroughly as v17 will) and can be downloaded here:
https://www.htmlvalidator.com/htmlvalV160cfg.zip

http://www.OnlineWebCheck.com/ also supports this attribute (it's currently based on a CSE HTML Validator v17 BETA).

This attribute helps insure that content and resources like scripts and CSS from content delivery networks are not tampered with.

More information can be found at these links:
Do not let your CDN betray you: Use Subresource Integrity
What are the integrity and crossorigin attribute?
https://developer.mozilla.org/en-US/doc ... _Integrity
https://w3c.github.io/webappsec-subreso ... -attribute

Re: Subresource Integrity and the integrity attribute

Posted: Thu Jul 28, 2016 6:39 pm
by MikeGale
Great to see that this is live.

A simple and effective approach.

Best when there are separate sources for markup and resources.