[英]Is Subresource Integrity any useful for inline JavaScript?
I'm reading about Subresource Integrity and understand it's meant for verifying external files.我正在阅读有关子资源完整性的内容,并了解它用于验证外部文件。 I guess it's no surprise I couldn't find any reference to inline JavaScript from either MDN or W3C .
我想我在MDN或W3C 中找不到任何对内联 JavaScript 的引用也就不足为奇了。
So, is it safe to say that the SRI-related attributes, integrity
and crossorigin
, are completely useless for inline JavaScript ?那么,可以肯定地说,与 SRI 相关的属性,
integrity
和crossorigin
,对于内联 JavaScript 完全没有用吗?
So, is it safe to say that the SRI-related attributes
integrity
andcrossorigin
are completely useless for inline JavaScript?那么,是否可以说与 SRI 相关的属性
integrity
和crossorigin
对于内联 JavaScript 完全没有用?
Yes, because those attributes are only useful for a script
element that has a src
attribute:是的,因为这些属性仅对具有
src
属性的script
元素有用:
https://html.spec.whatwg.org/multipage/scripting.html#attr-script-integrity https://html.spec.whatwg.org/multipage/scripting.html#attr-script-integrity
The
integrity
attribute represents the integrity metadata for requests which this element is responsible for.integrity
属性表示该元素负责的请求的完整性元数据。 The value is text.值为文本。 The
integrity
attribute must not be specified when embedding a module script or when thesrc
attribute is not specified.嵌入模块脚本或未指定
src
属性时,不得指定integrity
属性。 [SRI][社会责任]
Also as noted in the question, that's also made clear by the description in MDN:同样如问题中所述,MDN中的描述也清楚地表明了这一点:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation.
子资源完整性 (SRI) 是一项安全功能,它使浏览器能够验证它们获取的文件(例如,从 CDN 获取)是否在没有意外操作的情况下交付。 It works by allowing you to provide a cryptographic hash that a fetched file must match.
它的工作原理是允许您提供获取的文件必须匹配的加密哈希。
I know that the thread is a little bit older, but the integrity hash check is now supported by the W3C.我知道该线程有点旧,但 W3C 现在支持完整性哈希检查。 The script is executed if:
脚本在以下情况下执行:
WebAppSec Subresource Integrity WebAppSec 子资源完整性
EDIT: seems that actually only Chrome support this functionality编辑:似乎实际上只有 Chrome 支持此功能
Yes, it's safe to say that, because the integrity
attribute of a <script>
tag is ignored when the <script>
has no "src" attribute.是的,可以这么说,因为当
<script>
没有“src”属性时,会忽略<script>
标记的integrity
属性。 SRI only comes into the picture when a resources is fetched via a separate HTTP request. SRI 仅在通过单独的 HTTP 请求获取资源时才会出现。
If you are looking for protecting inline script files you can use the nonce attribute in CSP headers and specify that on the script tag如果您正在寻找保护内联脚本文件,您可以在 CSP 标头中使用nonce属性并在脚本标记上指定该属性
nonce-base64-value
nonce-base64-value
A whitelist for specific inline scripts using a cryptographic nonce (number used once).使用加密随机数(使用一次的数字)的特定内联脚本的白名单。 The server must generate a unique nonce value each time it transmits a policy.
服务器每次传输策略时都必须生成唯一的随机数值。 It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial.
提供不可猜测的随机数至关重要,否则绕过资源的策略是微不足道的。 See unsafe inline script for an example.
有关示例,请参阅不安全的内联脚本。 Specifying nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support.
指定 nonce 会使现代浏览器忽略“unsafe-inline”,它仍然可以为没有 nonce 支持的旧浏览器设置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.