I'm reading about Subresource Integrity and understand it's meant for verifying external files. I guess it's no surprise I couldn't find any reference to inline JavaScript from either MDN or W3C.

So, is it safe to say that the SRI-related attributes, integrity and crossorigin, are pletely useless for inline JavaScript ?

I'm reading about Subresource Integrity and understand it's meant for verifying external files. I guess it's no surprise I couldn't find any reference to inline JavaScript from either MDN or W3C.

So, is it safe to say that the SRI-related attributes, integrity and crossorigin, are pletely useless for inline JavaScript ?

• javascript
• subresource-integrity

• Related post - How can I make sure that my JavaScript files delivered over a CDN are not altered? – RBT Commented Sep 5, 2022 at 4:21

4 Answers 4

So, is it safe to say that the SRI-related attributes integrity and crossorigin are pletely useless for inline JavaScript?

Yes, because those attributes are only useful for a script element that has a src attribute:

https://html.spec.whatwg/multipage/scripting.html#attr-script-integrity

The integrity attribute represents the integrity metadata for requests which this element is responsible for. The value is text. The integrity attribute must not be specified when embedding a module script or when the src attribute is not specified. [SRI]

Also as noted in the question, that’s also made clear by the description in MDN:

https://developer.mozilla/en-US/docs/Web/Security/Subresource_Integrity

Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.

If you are looking for protecting inline script files you can use the nonce attribute in CSP headers and specify that on the script tag

nonce-base64-value
A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial. See unsafe inline script for an example. Specifying nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support.

I know that the thread is a little bit older, but the integrity hash check is now supported by the W3C. The script is executed if:

• the src is set, the integrity attributes is correct AND matches the CSP policy
• the src is not set, the integrity attribute is correct OR matches the CSP policy

Pull request

WebAppSec Subresource Integrity

EDIT: seems that actually only Chrome support this functionality

Yes, it's safe to say that, because the integrity attribute of a <script> tag is ignored when the <script> has no "src" attribute. SRI only es into the picture when a resources is fetched via a separate HTTP request.