简体   繁体   English

指定来自不受信任主机的脚本的哈希值

[英]Specifying the hash of a script from an untrusted host

Is there any implementation or specification for including a hash or signature in an attribute of a <script> tag, so that the browser can verify that the correct file was retrieved before executing it?是否有任何实现或规范在 <script> 标签的属性中包含哈希或签名,以便浏览器可以在执行之前验证是否检索到正确的文件? Something like:就像是:

<script
  src="http://cdn.example.com/jquery-2001.js"
  signature="sha-256/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
></script>

The motivation is this: generally, each additional CDN or host you use for your site increases your vulnerability, by adding a new target that can be hacked to compromise your site.动机是这样的:通常,您为站点使用的每个额外 CDN 或主机都会增加您的漏洞,因为添加了一个可以被黑客入侵以危害您站点的新目标。 Allowing your primary front-end servers to assert hashes or signatures of those files could entirely eliminate that risk, allowing you to be more flexible when designing your architecture.允许您的主要前端服务器断言这些文件的散列或签名可以完全消除这种风险,让您在设计架构时更加灵活。 You could even request missing files from an untrusted peer-to-peer network.您甚至可以从不受信任的对等网络请求丢失的文件。

I thought I remembered a specification about this, but haven't been able to find it.我以为我记得有关此的规范,但一直找不到。

This feature was proposed by the W3C as Subresource Integrity .此功能由 W3C 提议为Subresource Integrity As of December 2015, this recommendation has been implemented by Chrome 44 and Firefox 43 .截至 2015 年 12 月,此建议已由Chrome 44Firefox 43 实施

EXAMPLE 1 例 1
 <link rel="stylesheet" href="https://site53.example.net/style.css" integrity="sha256-vjnUh7+rXHH2lg/5vDY8032ftNVCIEC21vL6szrVw9M=" crossorigin="anonymous">

There is a superficially similar feature in Content Security Policy Level 2 , but it only restricts the contents of inline <script> and <style> elements, not external ones.内容安全策略级别 2一个表面上相似的特性,但它只限制内联<script><style>元素的内容,而不限制外部元素。

It does not look like it is supported according to Mozilla Developer Network docs:根据 Mozilla Developer Network 文档,它看起来不支持:

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script

However, you could always fetch a resource via XHR (assuming CORS is configured), hash it, and if it is cool, eval().但是,您始终可以通过 XHR 获取资源(假设配置了 CORS),对其进行散列,如果它很酷,则使用 eval()。 However, while an interesting technical exercise it does not seem practical.然而,虽然这是一个有趣的技术练习,但它似乎并不实用。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM