最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

javascript - PCI Compliance- Script Src Integrity Check - Stack Overflow

programmeradmin1浏览0评论

I have a few <script src=""> tags in my script. For all the js files that are in the internal file system, I'm using the mand like-

cat jquery.js | openssl dgst -sha384 -binary | openssl base64 -A

to generate a base64-encoded sha384 hash and include that in the script tag like-

<script src="/js/jquery.js" integrity="J3vFgsKDNFSLyAxQe5jAHGNrVWc5wlIQG+hTxg57KX5ESMgxRMK1AbVWMP7kXogS"></script>

But my script also has a few js that are external like-

<script src=".js"></script>

How can I generate the hash for the external js so that I can include the intergrity attribute for those as well?

I have a few <script src=""> tags in my script. For all the js files that are in the internal file system, I'm using the mand like-

cat jquery.js | openssl dgst -sha384 -binary | openssl base64 -A

to generate a base64-encoded sha384 hash and include that in the script tag like-

<script src="/js/jquery.js" integrity="J3vFgsKDNFSLyAxQe5jAHGNrVWc5wlIQG+hTxg57KX5ESMgxRMK1AbVWMP7kXogS"></script>

But my script also has a few js that are external like-

<script src="https://code.jquery./jquery-latest.js"></script>

How can I generate the hash for the external js so that I can include the intergrity attribute for those as well?

Share Improve this question asked Mar 6, 2019 at 17:56 manishkmanishk 5368 silver badges28 bronze badges
Add a ment  | 

2 Answers 2

Reset to default 4

You can generate the SRI Hash for external js resources on this link SRI HASH

I ran a diagnosis after this, and works perfectly

You could always download the file to disk and then run your mand. Or alternatively you can swap out the first part of your mand - instead of cat jquery.js, you can have curl -s <URL>

Putting it together:

curl -s https://code.jquery./jquery-latest.js | openssl dgst -sha384 -binary | openssl base64 -A

Keep in mind that if (when) the script is updated by the third-party, integrity check will fail. With the jQuery example, you should expect that a "jquery-latest.js" file will change when an update is released (hence breaking the integrity check and causing the script to fail to load). In other words, your web site is likely to break when an update is released.

You may want to consider linking to a specific version instead (e.g. "https://code.jquery./jquery-3.4.1.min.js"). This means you (or another web developer on the team) will be responsible for keeping jQuery (and the script tag's hash) up to date - especially when a security fix is released.

Also it's worth noting that if the file is hosted on the same domain (i.e. on your web server), you don't have to include the hash for PCI pliance. The hash is only required for externally hosted javascript files.

发布评论

评论列表(0)

  1. 暂无评论