Script tags with integrity attributes
Vložit
- čas přidán 19. 07. 2024
- This tutorial explains what the integrity attribute of a script tag is and how it works. Also covered is how you can integrate your integrity values into your Content Security Policy meta tags.
HTML Code GIST: gist.github.com/prof3ssorSt3v...
integrity.js Code GIST: gist.github.com/prof3ssorSt3v...
other-integrity.js Code GIST: gist.github.com/prof3ssorSt3v...
Content-Security-Policy video: • Content Security Polic...
SRI Hash Generator - www.srihash.org/
Content-Security-Policy reference: content-security-policy.com/
Seriously?! This is only 1k views? This video is the only resource I've found on these two concepts that is quick and easy to understand without jargons.
If people who find it useful share it, that number will grow. 😀
Super Steve Bro... Nice explained.. Thq.... I searched on internet.. i got ur video....Thx a lot ...
Really good video. Just got a security hotspot with Sonar Cube in the pipeline complaining about missing integrity. This explains it really well. Thank you :)
This is a great video. Also, when you get the sha384 of the SRI Hash generator, make sure to add the crossorigin="anonymous"; otherwise, you will still get an error.
Thanks. You made my task easy to understand!
Please keep making videos; you should have more subscribers because your content is actually useful. Unfortunately, content creators without substance get the most attention.
Thank you so much for your videos !!!
amazing video! thank you very much sir
thankyou very much
Great stuff as usual… just wondering if you’d need a modified approach for a site developed with something like Svelte and Sveltekit?
I try copy and paste the sha384 of the SRI Hash generator and not just didn't work as screw up my website design. What happened?
Can you please share it for nonce i am able to generate the unique nonce value but couldn't able to call in my html and jsp page
Amazing video, can we use the script-src 'hash' for inline scripts?
The hash value is the result of hashing a file. You need a file to be able to do that.
Can we use it for any cdn which is not providing the integrity attributes. ??
If you are willing to download the current version of the script and run the hashing algorithm with openssl or the online tool, then you have the hash and can add it to your integrity attribute in the script tag.
Bear in mind that if they change the file that you are pointing to the integrity value will no longer be valid.
The integrity value is really just giving the browser a way to validate the contents of the script.
@@SteveGriffith-Prof3ssorSt3v3 can we also add the integrity attribute to internal js and internal style/css. ??
@@makeitbollywood yes. Any file
Hi Steve, I might be late for it but my page have many inline scripts and styles that's an old code and making all the script as a link is not easy and also adding so many hash code in every script is also not that easy is there any solution for it
Sounds like it is time to refactor.
Rebuild the code into one script or into actual modules that are imported.
Not easy but the time you take to fix things will make everything run better and be more secure in the long run.
Just because it is hard to update do not avoid making the changes and improving things
Hey Steve, thanks for reply it's fine for the script which we find in the code but what about some script got dynamically create means we don't have control on it like webform_onSubmit etc for different elements we are getting different script in the page. Do you have any solution for this kind of situation
how to reverse it ?
You never need to reverse it. The value is for matching
Like 90º
How do you stop a chicken and egg problem of knowing when you MAKE the tag that it's not malicious lol?
It has to be your own script or from a source that you absolutely trust.
Anyway to skip the integrity attribute