Highest Voted 'sub-resource-integrity' Questions

32

votes

2 answers

How does subresource integrity actually help?

Subresource integrity basically lets me know that a resource I'm about to download is valid, because the hash of its contents matches what I expect. But this assumes that I'm already running on some trusted and verified code. If a hacker has…

asked Sep 10 '18 at 20:22

David says Reinstate Monica

1,108
1
15
20

10

votes

2 answers

What attacks are mitigated by requiring CORS for subresource integrity verification?

Can someone elaborate on the attacks alluded to in this paragraph from the W3C SubResource Integrity spec? In order to mitigate an attacker’s ability to read data cross-origin by brute-forcing values via integrity checks, responses are only…

http same-origin-policy cors sub-resource-integrity

asked Jan 23 '17 at 04:31

ssokolow

403
3
10

9

votes

1 answer

Why is sub resource integrity (SRI) only limited to certain files?

I'm quite enthusiastic about the Sub resource integrity (SRI) features. But, why is it only limited to JS and CSS files? I tried to pin a LESS (CSS variant) file, of which the integrity tag was ignored by Firefox and Chrome. Additionally, I…

web-browser html html-5 sub-resource-integrity

asked Mar 16 '17 at 21:28

Bob Ortiz

6,234
8
43
90

7

votes

3 answers

Why does Chrome tell me that the CSP 'require-sri-for' directive is implemented behind a flag which is currently disabled?

In my Content Security Policy I have included require-sri-for script. However, in the Chrome console I get a notice (not an error, just info): The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently…

chrome content-security-policy sub-resource-integrity

asked Feb 24 '18 at 16:37

jamieweb

425
1
3
10

3

votes

1 answer

Firefox warning: Content Security Policy: Couldn’t process unknown directive ‘require-sri-for’

Why does Firefox tell me Content Security Policy: Couldn’t process unknown directive ‘require-sri-for’ when Mozilla's documentation says they've implemented it? The meta tag Firefox is complaining about:

firefox sub-resource-integrity

asked Jan 16 '19 at 18:12

wogsland

137
3
12

3

votes

2 answers

What does the CSP require-sri-for directive protect against?

According to Mozilla: The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page. I fail to see the benefit. The SCP is designed to protect me from…

http content-security-policy sub-resource-integrity

asked Feb 26 '18 at 11:51

Anders

64,406
24
178
215

Questions tagged [sub-resource-integrity]

How does subresource integrity actually help?

What attacks are mitigated by requiring CORS for subresource integrity verification?

Why is sub resource integrity (SRI) only limited to certain files?

Why does Chrome tell me that the CSP 'require-sri-for' directive is implemented behind a flag which is currently disabled?

Firefox warning: Content Security Policy: Couldn’t process unknown directive ‘require-sri-for’

What does the CSP require-sri-for directive protect against?