Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SRI tag helper security\fallback #79
As Damian on the asp.net community standup noted.
I would recommend uploading the required file to the server, use that to compute the hash (saves on download time).
and of course you could add the SRI tag to both script elements
My initial thinking was that you could check the files at deployment time when the tag helper first runs. Then the tag helper would have calculated the hash and cached it without any expiration time, so you are good from then on. That's still more secure than 'every site on the internet' as Jon Galloway put it in the ASP.NET standup.
I suppose that checking the files on every deployment is not great for the developer. So for the next iteration I will add an alternative source, basically a local file from which the SRI is calculated. Someting like this:
In this scenario, the developer would have to check the file for validity every time they upgrade it. I'm not 100% sure if dropping the call to the CDN resource is the way to go. If we kept the call, we could compare the SRI and log an error, giving the developer some quick feedback to something they might otherwise miss if they are using script fallbacks. Perhaps this should be an option?
There is already a fallback script tag helper built in which pretty much generates the code you wrote. However, I prefer not to use them because they are not compatible with Content Security Policy (CSP) because they require the use of inline scripts.