Subresource Integrity: How to show only warning but not block resource?Handling load error within subresource integrity checkWhy not use tables for layout in HTML?Convert HTML + CSS to PDF with PHP?How to style a <select> dropdown with only CSS?How to disable a link using only CSS?How do I remove the space between inline-block elements?location.host vs location.hostname and cross-browser compatibility?Disabling Chrome AutofillSubresource integrity and cache busting techniques in PHPHandling load error within subresource integrity checkDo web browsers cache resources with Subresource Integrity (SRI) differently?
What's the explanation for this joke about a three-legged dog that walks into a bar?
Sextortion with actual password not found in leaks
What happens if an IRB mistakenly approves unethical research?
Why did computer video outputs go from digital to analog, then back to digital?
Raw curve25519 public key points
How do I run a game when my PCs have different approaches to combat?
Short story about a group of sci-fi writers sitting around discussing their profession
Other than a swing wing, what types of variable geometry have flown?
what to say when a company asks you why someone (a friend) who was fired left?
Issue with ContourPlot
Are gangsters hired to attack people at a train station classified as a terrorist attack?
What would be the side effects on the life of a person becoming indestructible?
Sci-fi short story: plants attracting spaceship and using them as a agents of pollination between two planets
Invert Some Switches on a Switchboard
Are glider winch launches rarer in the USA than in the rest of the world? Why?
Idioms: Should it be " the internet is a seemingly infinite well of information" or "the internet is a seemingly infinite wealth of information"
How could an engineer advance human civilization by time traveling to the past?
dos2unix is unable to convert typescript file to unix format
What was the rationale behind 36 bit computer architectures?
How to extract only values greater than a threshold
How can I tell if there was a power cut when I was out?
Why is DC so, so, so Democratic?
Does a definite integral equal to the Möbius function exist?
Considerations when providing money to one child now, and the other later?
Subresource Integrity: How to show only warning but not block resource?
Handling load error within subresource integrity checkWhy not use tables for layout in HTML?Convert HTML + CSS to PDF with PHP?How to style a <select> dropdown with only CSS?How to disable a link using only CSS?How do I remove the space between inline-block elements?location.host vs location.hostname and cross-browser compatibility?Disabling Chrome AutofillSubresource integrity and cache busting techniques in PHPHandling load error within subresource integrity checkDo web browsers cache resources with Subresource Integrity (SRI) differently?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I would like to make a soft integration for Subresource Integrity attributes, so be sure that I did not break the application, but only to show a warning that I need to fix some places.
Is there an option to do so?
html subresource-integrity
asked Mar 26 at 15:08
Stepan SuvorovStepan Suvorov
13k18 gold badges73 silver badges147 bronze badges
add a comment |
I would like to make a soft integration for Subresource Integrity attributes, so be sure that I did not break the application, but only to show a warning that I need to fix some places.
Is there an option to do so?
html subresource-integrity
asked Mar 26 at 15:08
Stepan SuvorovStepan Suvorov
13k18 gold badges73 silver badges147 bronze badges
add a comment |
I would like to make a soft integration for Subresource Integrity attributes, so be sure that I did not break the application, but only to show a warning that I need to fix some places.
Is there an option to do so?
html subresource-integrity
asked Mar 26 at 15:08
Stepan SuvorovStepan Suvorov
13k18 gold badges73 silver badges147 bronze badges
I would like to make a soft integration for Subresource Integrity attributes, so be sure that I did not break the application, but only to show a warning that I need to fix some places.
Is there an option to do so?
html subresource-integrity
html subresource-integrity
asked Mar 26 at 15:08
Stepan SuvorovStepan Suvorov
13k18 gold badges73 silver badges147 bronze badges
asked Mar 26 at 15:08
Stepan SuvorovStepan Suvorov
13k18 gold badges73 silver badges147 bronze badges
asked Mar 26 at 15:08
Stepan SuvorovStepan Suvorov
13k18 gold badges73 silver badges147 bronze badges
asked Mar 26 at 15:08
Stepan SuvorovStepan Suvorov
13k18 gold badges73 silver badges147 bronze badges
asked Mar 26 at 15:08
Stepan SuvorovStepan Suvorov
13k18 gold badges73 silver badges147 bronze badges
13k18 gold badges73 silver badges147 bronze badges
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Secure approach
If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.
Insecure approach
Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
<script>
function loadResource(path)
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function()
if (this.readyState == 4 && this.status == 200)
var cs = CryptoJS.SHA256(this.responseText);
if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg=='
;
xhttp.open("GET", path, true);
xhttp.send();
loadResource(
//'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
);
</script>
DEMO
answered Apr 2 at 9:25
Agnius VasiliauskasAgnius Vasiliauskas
7,7465 gold badges41 silver badges62 bronze badges
add a comment |
I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.
However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:
- Register a new
ServiceWorker - Listen to the
fetchevent [Client.postMessage]the targetURL to your Parent- Get script integrity hash by targetURL
$('script[src=event.data.targetURL]').attr('data-integrity')
and push it into the client usingWorker.postMessage - hash the response using e.G.
cryptojs.sha256 - match the hashes inside the worker
- If the hashes match, return the response. If they don't match, return the response and use
Client.postMessageagain to trigger a warning.
answered Apr 1 at 14:52
Tom MTom M
1,8851 gold badge10 silver badges27 bronze badges
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55360441%2fsubresource-integrity-how-to-show-only-warning-but-not-block-resource%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Secure approach
If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.
Insecure approach
Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
<script>
function loadResource(path)
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function()
if (this.readyState == 4 && this.status == 200)
var cs = CryptoJS.SHA256(this.responseText);
if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg=='
;
xhttp.open("GET", path, true);
xhttp.send();
loadResource(
//'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
);
</script>
DEMO
answered Apr 2 at 9:25
Agnius VasiliauskasAgnius Vasiliauskas
7,7465 gold badges41 silver badges62 bronze badges
add a comment |
Secure approach
If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.
Insecure approach
Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
<script>
function loadResource(path)
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function()
if (this.readyState == 4 && this.status == 200)
var cs = CryptoJS.SHA256(this.responseText);
if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg=='
;
xhttp.open("GET", path, true);
xhttp.send();
loadResource(
//'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
);
</script>
DEMO
answered Apr 2 at 9:25
Agnius VasiliauskasAgnius Vasiliauskas
7,7465 gold badges41 silver badges62 bronze badges
add a comment |
Secure approach
If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.
Insecure approach
Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
<script>
function loadResource(path)
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function()
if (this.readyState == 4 && this.status == 200)
var cs = CryptoJS.SHA256(this.responseText);
if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg=='
;
xhttp.open("GET", path, true);
xhttp.send();
loadResource(
//'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
);
</script>
DEMO
answered Apr 2 at 9:25
Agnius VasiliauskasAgnius Vasiliauskas
7,7465 gold badges41 silver badges62 bronze badges
Secure approach
If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.
Insecure approach
Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
<script>
function loadResource(path)
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function()
if (this.readyState == 4 && this.status == 200)
var cs = CryptoJS.SHA256(this.responseText);
if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg=='
;
xhttp.open("GET", path, true);
xhttp.send();
loadResource(
//'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
);
</script>
DEMO
answered Apr 2 at 9:25
Agnius VasiliauskasAgnius Vasiliauskas
7,7465 gold badges41 silver badges62 bronze badges
answered Apr 2 at 9:25
Agnius VasiliauskasAgnius Vasiliauskas
7,7465 gold badges41 silver badges62 bronze badges
answered Apr 2 at 9:25
Agnius VasiliauskasAgnius Vasiliauskas
7,7465 gold badges41 silver badges62 bronze badges
answered Apr 2 at 9:25
Agnius VasiliauskasAgnius Vasiliauskas
7,7465 gold badges41 silver badges62 bronze badges
7,7465 gold badges41 silver badges62 bronze badges
add a comment |
add a comment |
I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.
However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:
- Register a new
ServiceWorker - Listen to the
fetchevent [Client.postMessage]the targetURL to your Parent- Get script integrity hash by targetURL
$('script[src=event.data.targetURL]').attr('data-integrity')
and push it into the client usingWorker.postMessage - hash the response using e.G.
cryptojs.sha256 - match the hashes inside the worker
- If the hashes match, return the response. If they don't match, return the response and use
Client.postMessageagain to trigger a warning.
answered Apr 1 at 14:52
Tom MTom M
1,8851 gold badge10 silver badges27 bronze badges
add a comment |
I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.
However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:
- Register a new
ServiceWorker - Listen to the
fetchevent [Client.postMessage]the targetURL to your Parent- Get script integrity hash by targetURL
$('script[src=event.data.targetURL]').attr('data-integrity')
and push it into the client usingWorker.postMessage - hash the response using e.G.
cryptojs.sha256 - match the hashes inside the worker
- If the hashes match, return the response. If they don't match, return the response and use
Client.postMessageagain to trigger a warning.
answered Apr 1 at 14:52
Tom MTom M
1,8851 gold badge10 silver badges27 bronze badges
add a comment |
I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.
However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:
- Register a new
ServiceWorker - Listen to the
fetchevent [Client.postMessage]the targetURL to your Parent- Get script integrity hash by targetURL
$('script[src=event.data.targetURL]').attr('data-integrity')
and push it into the client usingWorker.postMessage - hash the response using e.G.
cryptojs.sha256 - match the hashes inside the worker
- If the hashes match, return the response. If they don't match, return the response and use
Client.postMessageagain to trigger a warning.
answered Apr 1 at 14:52
Tom MTom M
1,8851 gold badge10 silver badges27 bronze badges
I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.
However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:
- Register a new
ServiceWorker - Listen to the
fetchevent [Client.postMessage]the targetURL to your Parent- Get script integrity hash by targetURL
$('script[src=event.data.targetURL]').attr('data-integrity')
and push it into the client usingWorker.postMessage - hash the response using e.G.
cryptojs.sha256 - match the hashes inside the worker
- If the hashes match, return the response. If they don't match, return the response and use
Client.postMessageagain to trigger a warning.
answered Apr 1 at 14:52
Tom MTom M
1,8851 gold badge10 silver badges27 bronze badges
edited Apr 1 at 15:25
answered Apr 1 at 14:52
Tom MTom M
1,8851 gold badge10 silver badges27 bronze badges
answered Apr 1 at 14:52
Tom MTom M
1,8851 gold badge10 silver badges27 bronze badges
answered Apr 1 at 14:52
Tom MTom M
1,8851 gold badge10 silver badges27 bronze badges
1,8851 gold badge10 silver badges27 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55360441%2fsubresource-integrity-how-to-show-only-warning-but-not-block-resource%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
