← Back to Topics

Subresource Integrity (SRI)

This cluster centers on discussions of Subresource Integrity (SRI), a web security feature for verifying the integrity of third-party resources like scripts from CDNs to prevent tampering or compromise. Commenters frequently cite SRI as an existing solution to the parent post's proposed idea for hashing and protecting remote assets.

📉 Falling 0.4x Security
2,287
Comments
20
Years Active
5
Top Authors
#5676
Topic ID

Activity Over Time

2007
1
2008
19
2009
12
2010
38
2011
69
2012
63
2013
175
2014
155
2015
255
2016
155
2017
180
2018
202
2019
175
2020
171
2021
154
2022
143
2023
108
2024
120
2025
90
2026
2

Top Contributors

dane-pgp (30) tptacek (27) Animats (17) the8472 (16) twiss (15)

Keywords

scriptloader.js US JS WordPress MITM mozilla.org DNS GP HN HTTPS integrity hash scripts browser js script cdn content check client

Sample Comments

arayh Oct 16, 2018 View on HN

Not sure if this is what you're looking for, but subresource integrity perhaps?https://hacks.mozilla.org/2015/09/subresource-integrity-in-f...

jszymborski Jul 22, 2020 View on HN

Isn't this kinda solved by Subresource Integrity (SRI)?https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

LinuxBender Jul 23, 2021 View on HN

Could SRI be used for this? [1][1] - https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

nsgi Oct 19, 2016 View on HN

Subresource integrity still requires you to trust the server sending the hashes.

pastage Nov 8, 2022 View on HN

You can enable content security policy then hash all the javascripts and assets so only prebuilt and hashed stuff is allowed to be loaded in the web browser. There is no way to easily check that some one you trust did the hashing, but it is doable with an extension in the web browser.

EGreg Oct 19, 2016 View on HN

Your don't need to trust the server. You can implement subresource integrity checks!

taf2 Aug 16, 2018 View on HN

isn't this why https://developer.mozilla.org/en-US/docs/Web/Security/Subres... was invented?

Spivak Jun 10, 2016 View on HN

As long as you use subresource integrity we have a deal! I know it's currently experimental but having native browser support is much more palatable than using JS to check the hash.

ohyeshedid Jul 23, 2021 View on HN

Sounds like something subresource integrity[1] could be expanded to include.[1]: https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

asdfaoeu Feb 24, 2012 View on HN

For content that is already public but needs to be protected from modification like images and scripts couldn't it be hashed and the hash just sent with the page your viewing. Then the browser could download extra assets from an insecure source like a proxy or cdn and know that it hasn't been modified?