Subresource Integrity: How to show only warning but not block resource?Handling load error within subresource integrity checkWhy not use tables for layout in HTML?Convert HTML + CSS to PDF with PHP?How to style a <select> dropdown with only CSS?How to disable a link using only CSS?How do I remove the space between inline-block elements?location.host vs location.hostname and cross-browser compatibility?Disabling Chrome AutofillSubresource integrity and cache busting techniques in PHPHandling load error within subresource integrity checkDo web browsers cache resources with Subresource Integrity (SRI) differently?

What's the explanation for this joke about a three-legged dog that walks into a bar?

Sextortion with actual password not found in leaks

What happens if an IRB mistakenly approves unethical research?

Why did computer video outputs go from digital to analog, then back to digital?

Raw curve25519 public key points

How do I run a game when my PCs have different approaches to combat?

Short story about a group of sci-fi writers sitting around discussing their profession

Other than a swing wing, what types of variable geometry have flown?

what to say when a company asks you why someone (a friend) who was fired left?

Issue with ContourPlot

Are gangsters hired to attack people at a train station classified as a terrorist attack?

What would be the side effects on the life of a person becoming indestructible?

Sci-fi short story: plants attracting spaceship and using them as a agents of pollination between two planets

Invert Some Switches on a Switchboard

Are glider winch launches rarer in the USA than in the rest of the world? Why?

Idioms: Should it be " the internet is a seemingly infinite well of information" or "the internet is a seemingly infinite wealth of information"

How could an engineer advance human civilization by time traveling to the past?

dos2unix is unable to convert typescript file to unix format

What was the rationale behind 36 bit computer architectures?

How to extract only values greater than a threshold

How can I tell if there was a power cut when I was out?

Why is DC so, so, so Democratic?

Does a definite integral equal to the Möbius function exist?

Considerations when providing money to one child now, and the other later?



Subresource Integrity: How to show only warning but not block resource?


Handling load error within subresource integrity checkWhy not use tables for layout in HTML?Convert HTML + CSS to PDF with PHP?How to style a <select> dropdown with only CSS?How to disable a link using only CSS?How do I remove the space between inline-block elements?location.host vs location.hostname and cross-browser compatibility?Disabling Chrome AutofillSubresource integrity and cache busting techniques in PHPHandling load error within subresource integrity checkDo web browsers cache resources with Subresource Integrity (SRI) differently?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








10















I would like to make a soft integration for Subresource Integrity attributes, so be sure that I did not break the application, but only to show a warning that I need to fix some places.



Is there an option to do so?






html subresource-integrity







share|improve this question




























    10















    I would like to make a soft integration for Subresource Integrity attributes, so be sure that I did not break the application, but only to show a warning that I need to fix some places.



    Is there an option to do so?






    html subresource-integrity







    share|improve this question
























      10












      10








      10








      I would like to make a soft integration for Subresource Integrity attributes, so be sure that I did not break the application, but only to show a warning that I need to fix some places.



      Is there an option to do so?






      html subresource-integrity







      share|improve this question














      I would like to make a soft integration for Subresource Integrity attributes, so be sure that I did not break the application, but only to show a warning that I need to fix some places.



      Is there an option to do so?






      html subresource-integrity




      html subresource-integrity






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 26 at 15:08









      Stepan SuvorovStepan Suvorov

      13k18 gold badges73 silver badges147 bronze badges




      13k18 gold badges73 silver badges147 bronze badges






















          2 Answers
          2






          active

          oldest

          votes


















          4





          +100









          Secure approach



          If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.



          Insecure approach



          Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:



          <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
           <script>
           function loadResource(path) 
           var xhttp = new XMLHttpRequest();
           xhttp.onreadystatechange = function() 
           if (this.readyState == 4 && this.status == 200) 
           var cs = CryptoJS.SHA256(this.responseText);
           if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg==' 
           ;
           xhttp.open("GET", path, true);
           xhttp.send();
           

           loadResource(
           //'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
           'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
           );
           </script>


          DEMO






          share|improve this answer






























            1














            I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.



            However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:



            1. Register a new ServiceWorker

            2. Listen to the fetch event


            3. [Client.postMessage] the targetURL to your Parent

            4. Get script integrity hash by targetURL $('script[src=event.data.targetURL]').attr('data-integrity')

              and push it into the client using Worker.postMessage

            5. hash the response using e.G. cryptojs.sha256

            6. match the hashes inside the worker

            7. If the hashes match, return the response. If they don't match, return the response and use Client.postMessage again to trigger a warning.





            share|improve this answer



























              Your Answer






              StackExchange.ifUsing("editor", function ()
              StackExchange.using("externalEditor", function ()
              StackExchange.using("snippets", function ()
              StackExchange.snippets.init();
              );
              );
              , "code-snippets");

              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "1"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55360441%2fsubresource-integrity-how-to-show-only-warning-but-not-block-resource%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              4





              +100









              Secure approach



              If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.



              Insecure approach



              Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:



              <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
               <script>
               function loadResource(path) 
               var xhttp = new XMLHttpRequest();
               xhttp.onreadystatechange = function() 
               if (this.readyState == 4 && this.status == 200) 
               var cs = CryptoJS.SHA256(this.responseText);
               if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg==' 
               ;
               xhttp.open("GET", path, true);
               xhttp.send();
               

               loadResource(
               //'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
               'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
               );
               </script>


              DEMO






              share|improve this answer



























                4





                +100









                Secure approach



                If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.



                Insecure approach



                Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:



                <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
                 <script>
                 function loadResource(path) 
                 var xhttp = new XMLHttpRequest();
                 xhttp.onreadystatechange = function() 
                 if (this.readyState == 4 && this.status == 200) 
                 var cs = CryptoJS.SHA256(this.responseText);
                 if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg==' 
                 ;
                 xhttp.open("GET", path, true);
                 xhttp.send();
                 

                 loadResource(
                 //'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
                 'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
                 );
                 </script>


                DEMO






                share|improve this answer

























                  4





                  +100







                  4





                  +100



                  4




                  +100





                  Secure approach



                  If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.



                  Insecure approach



                  Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:



                  <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
                   <script>
                   function loadResource(path) 
                   var xhttp = new XMLHttpRequest();
                   xhttp.onreadystatechange = function() 
                   if (this.readyState == 4 && this.status == 200) 
                   var cs = CryptoJS.SHA256(this.responseText);
                   if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg==' 
                   ;
                   xhttp.open("GET", path, true);
                   xhttp.send();
                   

                   loadResource(
                   //'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
                   'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
                   );
                   </script>


                  DEMO






                  share|improve this answer













                  Secure approach



                  If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.



                  Insecure approach



                  Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:



                  <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
                   <script>
                   function loadResource(path) 
                   var xhttp = new XMLHttpRequest();
                   xhttp.onreadystatechange = function() 
                   if (this.readyState == 4 && this.status == 200) 
                   var cs = CryptoJS.SHA256(this.responseText);
                   if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg==' 
                   ;
                   xhttp.open("GET", path, true);
                   xhttp.send();
                   

                   loadResource(
                   //'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
                   'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
                   );
                   </script>


                  DEMO







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 2 at 9:25









                  Agnius VasiliauskasAgnius Vasiliauskas

                  7,7465 gold badges41 silver badges62 bronze badges




                  7,7465 gold badges41 silver badges62 bronze badges























                      1














                      I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.



                      However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:



                      1. Register a new ServiceWorker

                      2. Listen to the fetch event


                      3. [Client.postMessage] the targetURL to your Parent

                      4. Get script integrity hash by targetURL $('script[src=event.data.targetURL]').attr('data-integrity')

                        and push it into the client using Worker.postMessage

                      5. hash the response using e.G. cryptojs.sha256

                      6. match the hashes inside the worker

                      7. If the hashes match, return the response. If they don't match, return the response and use Client.postMessage again to trigger a warning.





                      share|improve this answer





























                        1














                        I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.



                        However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:



                        1. Register a new ServiceWorker

                        2. Listen to the fetch event


                        3. [Client.postMessage] the targetURL to your Parent

                        4. Get script integrity hash by targetURL $('script[src=event.data.targetURL]').attr('data-integrity')

                          and push it into the client using Worker.postMessage

                        5. hash the response using e.G. cryptojs.sha256

                        6. match the hashes inside the worker

                        7. If the hashes match, return the response. If they don't match, return the response and use Client.postMessage again to trigger a warning.





                        share|improve this answer



























                          1












                          1








                          1







                          I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.



                          However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:



                          1. Register a new ServiceWorker

                          2. Listen to the fetch event


                          3. [Client.postMessage] the targetURL to your Parent

                          4. Get script integrity hash by targetURL $('script[src=event.data.targetURL]').attr('data-integrity')

                            and push it into the client using Worker.postMessage

                          5. hash the response using e.G. cryptojs.sha256

                          6. match the hashes inside the worker

                          7. If the hashes match, return the response. If they don't match, return the response and use Client.postMessage again to trigger a warning.





                          share|improve this answer















                          I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.



                          However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:



                          1. Register a new ServiceWorker

                          2. Listen to the fetch event


                          3. [Client.postMessage] the targetURL to your Parent

                          4. Get script integrity hash by targetURL $('script[src=event.data.targetURL]').attr('data-integrity')

                            and push it into the client using Worker.postMessage

                          5. hash the response using e.G. cryptojs.sha256

                          6. match the hashes inside the worker

                          7. If the hashes match, return the response. If they don't match, return the response and use Client.postMessage again to trigger a warning.






                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Apr 1 at 15:25

























                          answered Apr 1 at 14:52









                          Tom MTom M

                          1,8851 gold badge10 silver badges27 bronze badges




                          1,8851 gold badge10 silver badges27 bronze badges



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Stack Overflow!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55360441%2fsubresource-integrity-how-to-show-only-warning-but-not-block-resource%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              -

                              Popular posts from this blog

                              Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

                              Image
                              Pages using ISBN magic linksMbegu za lughaKamusiIsimu nenoKiarabukitabulughaKiswahilialfabetimaanaufafanuzimanenomuhtasarisarufividahizoalfabeti Kamusi Kutoka Wikipedia, kamusi elezo huru Jump to navigation Jump to search Kamusi za Kiswahili Kamusi ya Kiswahili-Kiswahili (kamusi wahidiya) Kamusi ya Kiswahili - Kiingereza (kamusi thania) Kamusi (kutoka neno la Kiarabu قاموس qamus ) ni kitabu ambacho kinaorodhesha maneno ya lugha yaliyokusanywa kutoka kwa watumiaji wa lugha fulani, kwa mfano lugha ya Kiswahili. Maneno hupangwa kwa mtindo wa alfabeti, hutoa maana, asili na ufafanuzi wa utumizi wa maneno na jinsi yanavyotumika au yanavyotamkwa. [1] Yaliyomo 1 Aina za kamusi 2 Muundo wa kamusi 2.1 1. Utangulizi wa kamusi 2.2 2. Matini ya kamusi 2.3 3. Sherehe ya kamusi 3 Faida za kamusi 4 Dhima ya picha katika kamusi 5 Marejeo 6 Tazama pia 7 Viungo vya nje Aina za kamusi | Kuna aina mbalimbali za kamusi ambazo ni: Kamusi wahidiya yaani ya l
                              Read more

                              Swift 4 - func physicsWorld not invoked on collision? The Next CEO of Stack OverflowHow to call Objective-C code from Swift#ifdef replacement in the Swift language@selector() in Swift?#pragma mark in Swift?Swift for loop: for index, element in array?dispatch_after - GCD in Swift?Swift Beta performance: sorting arraysSplit a String into an array in Swift?The use of Swift 3 @objc inference in Swift 4 mode is deprecated?How to optimize UITableViewCell, because my UITableView lags

                              Image
                              Strange use of "whether ... than ..." in official text Could a dragon use its wings to swim? Car headlights in a world without electricity How to avoid supervisors with prejudiced views? Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere? Can I board the first leg of the flight without having final country's PR card? subequations: How to continue numbering within subequation? How do you define an element with an ID attribute using LWC? Relevant Part for a Badminton Serve What CSS properties can the br tag have? What are the unusually-enlarged wing sections on this P-38 Lightning? Why did early computer designers eschew integers? Is it a bad idea to plug the other end of ESD strap to wall ground? Magento 1.9 observer on only new product added ( no updated product ) Airplane gently rocking its wings during whole flight It is correct to match light sources with the same color temperat
                              Read more

                              Access current req object everywhere in Node.js ExpressWhy are global variables considered bad practice? (node.js)Using req & res across functionsHow do I get the path to the current script with Node.js?What is Node.js' Connect, Express and “middleware”?Node.js w/ express error handling in callbackHow to access the GET parameters after “?” in Express?Modify Node.js req object parametersAccess “app” variable inside of ExpressJS/ConnectJS middleware?Node.js Express app - request objectAngular Http Module considered middleware?Session variables in ExpressJSAdd properties to the req object in expressjs with Typescript

                              Image
                              What steps should I take to lawfully visit the United States as a tourist immediately after visiting on a B-1 visa? Would dual wielding daggers be a viable choice for a covert bodyguard? For a hashing function like MD5, how similar can two plaintext strings be and still generate the same hash? Using Newton's shell theorem to accelerate a spaceship Why doesn't sea level show seasonality? What prevents someone from claiming to be the murderer in order to get the real murderer off? Has anyone in space seen or photographed a simple laser pointer from Earth? What does (void *)1 mean Why does the U.S. tolerate foreign influence from Saudi Arabia and Israel on its domestic policies while not tolerating that from China or Russia? Modulus Operandi What's the point of having a RAID 1 configuration over incremental backups to a secondary drive? How to ask for a LinkedIn endorsement? Good resources for solving techniques (Metaheuristics, MILP, CP etc) How woul
                              Read more