Subresource Integrity or SRI is a
W3C
The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...
recommendation to provide a method to protect website delivery. Specifically, it validates assets served by a third party, such as a
content delivery network
A content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially re ...
(CDN). This ensures these assets have not been compromised for hostile purposes. SRI was created in response to a number of attacks where CDN-served content was injected with malicious code, compromising thousands of websites using it.
To use SRI, a website author wishing to include a resource from a third party can specify a
cryptographic hash
A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography:
* the probability of a particular n-bit output re ...
of the resource in addition to the location of the resource. Browsers fetching the resource can then compare the hash provided by the website author with the hash computed from the resource. If the hashes don't match, the resource is discarded.
A sample
script element with
integrity and
crossorigin attribute used by the SRI:
References
External links
Subresource Integrity on Mozilla Developer Network (MDN)
W3C specificationSRI on Mozilla Wiki
{{W3C Standards
Wireless networking standards
World Wide Web Consortium standards