Questions tagged [sub-resource-integrity]

Usage of the intregrity attribute on script and link HTML elements.

6 questions
32
votes
2 answers

How does subresource integrity actually help?

Subresource integrity basically lets me know that a resource I'm about to download is valid, because the hash of its contents matches what I expect. But this assumes that I'm already running on some trusted and verified code. If a hacker has…
10
votes
2 answers

What attacks are mitigated by requiring CORS for subresource integrity verification?

Can someone elaborate on the attacks alluded to in this paragraph from the W3C SubResource Integrity spec? In order to mitigate an attacker’s ability to read data cross-origin by brute-forcing values via integrity checks, responses are only…
ssokolow
  • 403
  • 3
  • 10
9
votes
1 answer

Why is sub resource integrity (SRI) only limited to certain files?

I'm quite enthusiastic about the Sub resource integrity (SRI) features. But, why is it only limited to JS and CSS files? I tried to pin a LESS (CSS variant) file, of which the integrity tag was ignored by Firefox and Chrome. Additionally, I…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
7
votes
3 answers

Why does Chrome tell me that the CSP 'require-sri-for' directive is implemented behind a flag which is currently disabled?

In my Content Security Policy I have included require-sri-for script. However, in the Chrome console I get a notice (not an error, just info): The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently…
jamieweb
  • 425
  • 1
  • 3
  • 10
3
votes
1 answer

Firefox warning: Content Security Policy: Couldn’t process unknown directive ‘require-sri-for’

Why does Firefox tell me Content Security Policy: Couldn’t process unknown directive ‘require-sri-for’ when Mozilla's documentation says they've implemented it? The meta tag Firefox is complaining about:
wogsland
  • 137
  • 3
  • 12
3
votes
2 answers

What does the CSP require-sri-for directive protect against?

According to Mozilla: The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page. I fail to see the benefit. The SCP is designed to protect me from…
Anders
  • 64,406
  • 24
  • 178
  • 215