简体繁体 English

子资源完整性对内联 JavaScript 有用吗？

[英]Is Subresource Integrity any useful for inline JavaScript?

原文 2017-07-19 15:15:15 5 4 javascript/ subresource-integrity

I'm reading about Subresource Integrity and understand it's meant for verifying external files.我正在阅读有关子资源完整性的内容，并了解它用于验证外部文件。 I guess it's no surprise I couldn't find any reference to inline JavaScript from either MDN or W3C .我想我在MDN或W3C 中找不到任何对内联 JavaScript 的引用也就不足为奇了。

So, is it safe to say that the SRI-related attributes, integrity and crossorigin , are completely useless for inline JavaScript ?那么，可以肯定地说，与 SRI 相关的属性， integrity和crossorigin ，对于内联 JavaScript 完全没有用吗？

4 个解决方案

So, is it safe to say that the SRI-related attributes integrity and crossorigin are completely useless for inline JavaScript?那么，是否可以说与 SRI 相关的属性integrity和crossorigin对于内联 JavaScript 完全没有用？

Yes, because those attributes are only useful for a script element that has a src attribute:是的，因为这些属性仅对具有src属性的script元素有用：

https://html.spec.whatwg.org/multipage/scripting.html#attr-script-integrity https://html.spec.whatwg.org/multipage/scripting.html#attr-script-integrity

The integrity attribute represents the integrity metadata for requests which this element is responsible for. integrity属性表示该元素负责的请求的完整性元数据。 The value is text.值为文本。 The integrity attribute must not be specified when embedding a module script or when the src attribute is not specified.嵌入模块脚本或未指定src属性时，不得指定integrity属性。 [SRI] [社会责任]

Also as noted in the question, that's also made clear by the description in MDN:同样如问题中所述，MDN中的描述也清楚地表明了这一点：

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation.子资源完整性 (SRI) 是一项安全功能，它使浏览器能够验证它们获取的文件（例如，从 CDN 获取）是否在没有意外操作的情况下交付。 It works by allowing you to provide a cryptographic hash that a fetched file must match.它的工作原理是允许您提供获取的文件必须匹配的加密哈希。

I know that the thread is a little bit older, but the integrity hash check is now supported by the W3C.我知道该线程有点旧，但 W3C 现在支持完整性哈希检查。 The script is executed if:脚本在以下情况下执行：

the src is set, the integrity attributes is correct AND matches the CSP policy src 已设置，完整性属性正确且与 CSP 策略匹配
the src is not set, the integrity attribute is correct OR matches the CSP policy src 未设置，完整性属性正确或匹配 CSP 策略

Pull request 拉取请求

WebAppSec Subresource Integrity WebAppSec 子资源完整性

EDIT: seems that actually only Chrome support this functionality编辑：似乎实际上只有 Chrome 支持此功能

Yes, it's safe to say that, because the integrity attribute of a <script> tag is ignored when the <script> has no "src" attribute.是的，可以这么说，因为当<script>没有“src”属性时，会忽略<script>标记的integrity属性。 SRI only comes into the picture when a resources is fetched via a separate HTTP request. SRI 仅在通过单独的 HTTP 请求获取资源时才会出现。

If you are looking for protecting inline script files you can use the nonce attribute in CSP headers and specify that on the script tag如果您正在寻找保护内联脚本文件，您可以在 CSP 标头中使用nonce属性并在脚本标记上指定该属性

nonce-base64-value nonce-base64-value
A whitelist for specific inline scripts using a cryptographic nonce (number used once).使用加密随机数（使用一次的数字）的特定内联脚本的白名单。 The server must generate a unique nonce value each time it transmits a policy.服务器每次传输策略时都必须生成唯一的随机数值。 It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial.提供不可猜测的随机数至关重要，否则绕过资源的策略是微不足道的。 See unsafe inline script for an example.有关示例，请参阅不安全的内联脚本。 Specifying nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support.指定 nonce 会使现代浏览器忽略“unsafe-inline”，它仍然可以为没有 nonce 支持的旧浏览器设置。