Just one of the things I'm learning. https://github.com/hchiam/learning
Make sure that JS from a CDN didn't get hacked or have malicious code injected into it by comparing the code to a hash before running it.
Example:
<script
src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js"
integrity="sha384-OgVRvuATP1z7JjHLkuOU7Xw704+h835Lr+6QL9UvYjZE3Ipu6Tp75j7Bh/kR0JKI"
crossorigin="anonymous"
></script>Make sure to include both integrity and crossorigin too.
- https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
- https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/
echo sha384-$(cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -A)
# or
echo sha384-$(shasum -b -a 384 FILENAME.js | awk '{ print $1 }' | xxd -r -p | base64)Example:
echo sha384-$(cat index.js | openssl dgst -sha384 -binary | openssl base64 -A)
# or
echo sha384-$(shasum -b -a 384 index.js | awk '{ print $1 }' | xxd -r -p | base64)Either one produces this:
sha384-A+/1ZBMjbXckmm7EutG5R0nYiAfre+/UZncsGfxQXSpiNIC+gCLZcHfECAkIXMN2You can also get this by simply running bash get-integrity.sh
And then finally in the HTML:
<script
src="https://cdn.jsdelivr.net/gh/hchiam/learning-sri@master/index.js"
integrity="sha384-A+/1ZBMjbXckmm7EutG5R0nYiAfre+/UZncsGfxQXSpiNIC+gCLZcHfECAkIXMN2"
crossorigin="anonymous"
></script>Which would prevent this:
<script
src="https://cdn.jsdelivr.net/gh/hchiam/learning-sri@master/index-with-modifications.js"
integrity="sha384-A+/1ZBMjbXckmm7EutG5R0nYiAfre+/UZncsGfxQXSpiNIC+gCLZcHfECAkIXMN2"
crossorigin="anonymous"
></script>open test/index.htmlOr go to https://learning-sri.surge.sh