指定来自不受信任主机的脚本的哈希值

Question

Is there any implementation or specification for including a hash or signature in an attribute of a <script> tag, so that the browser can verify that the correct file was retrieved before executing it? Something like:

<script
  src="http://cdn.example.com/jquery-2001.js"
  signature="sha-256/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
></script>

The motivation is this: generally, each additional CDN or host you use for your site increases your vulnerability, by adding a new target that can be hacked to compromise your site. Allowing your primary front-end servers to assert hashes or signatures of those files could entirely eliminate that risk, allowing you to be more flexible when designing your architecture. You could even request missing files from an untrusted peer-to-peer network.

I thought I remembered a specification about this, but haven't been able to find it.

Answer 1

This feature was proposed by the W3C as Subresource Integrity . As of December 2015, this recommendation has been implemented by Chrome 44 and Firefox 43 .

EXAMPLE 1

 <link rel="stylesheet" href="https://site53.example.net/style.css" integrity="sha256-vjnUh7+rXHH2lg/5vDY8032ftNVCIEC21vL6szrVw9M=" crossorigin="anonymous">

There is a superficially similar feature in Content Security Policy Level 2 , but it only restricts the contents of inline <script> and <style> elements, not external ones.

Answer 2

It does not look like it is supported according to Mozilla Developer Network docs:

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script

However, you could always fetch a resource via XHR (assuming CORS is configured), hash it, and if it is cool, eval(). However, while an interesting technical exercise it does not seem practical.