最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

How to check the integrity of loaded Javascript code - Stack Overflow

programmeradmin1浏览0评论

I run a Bitcoin wallet that uses browser side Javascript to encrypt and decrypt Bitcoin keys.

I want to make the javascript available for scrutiny on Github, and then load the javascript from the github repository.

My problem is I need to check the integrity of the loaded Javascript to ensure at hasn't been tampered with at Github.

How can I best do this ? Would it be something like.

  1. Load remote Javascript with an ajax call.
  2. MD5 hash and pare.
  3. If in good shape execute it.

I run a Bitcoin wallet that uses browser side Javascript to encrypt and decrypt Bitcoin keys.

I want to make the javascript available for scrutiny on Github, and then load the javascript from the github repository.

My problem is I need to check the integrity of the loaded Javascript to ensure at hasn't been tampered with at Github.

How can I best do this ? Would it be something like.

  1. Load remote Javascript with an ajax call.
  2. MD5 hash and pare.
  3. If in good shape execute it.
Share Improve this question asked Mar 18, 2013 at 14:59 Ian PurtonIan Purton 15.9k3 gold badges29 silver badges27 bronze badges 7
  • 2 Couldn't the client mess with the checksum puting function itself? – Anirudh Ramanathan Commented Mar 18, 2013 at 15:01
  • Maybe store your code on another server. A CDN that only you can access. That way you can be sure it's fine. – gen_Eric Commented Mar 18, 2013 at 15:01
  • How crucial is this at the point of checking if client-side? I'm pretty sure you know client-side is not safe in practically any way. The integrity check really must be done by a server-side script and then feed it back to the JavaScript, otherwise you will face immense security problematics. – user1467267 Commented Mar 18, 2013 at 15:02
  • Anything that runs in a browser can be tampered with. Either directly or scripts loaded with an extension or add on. – datasage Commented Mar 18, 2013 at 15:02
  • 4 I'm pretty sure that using github as a CDN is explicitly discouraged. – Pointy Commented Mar 18, 2013 at 15:02
 |  Show 2 more ments

1 Answer 1

Reset to default 6

There is (or soon WILL be) an elegant way to achieve this now (2 years after the question was asked).

http://www.w3/TR/SRI/

You can now specify the "integrity" parameter inside the script tag:

<script src="https://github./<path>/yourscript.js"
        integrity="sha256-SDf......">

This won't work for the script loaded via an AJAX requests. But you can potentially reference scripts as script tags pointing at the CDN (ideally not at github directly)

发布评论

评论列表(0)

  1. 暂无评论