Why BootstrapCDN Believes in SRI and You Should Too
Browser Support for SRIAt the time of this writing, modern browsers like Mozilla Firefox, Google Chrome, and Opera all support SRI on desktop operating systems. Mobile versions of Firefox and Chrome have also integrated the standard. Although Internet Explorer does not feature SRI, the Edge developer team is considering to add the support. (Feel free to vote for the feature request on the Windows developer feedback site, or give the Edge team a shout on Twitter to give it a little push.) For the latest news and full details on browser support, please refer to caniuse.com.
How to Implement SRIFor BootstrapCDN files, implementation is super easy. And for all other third party files, it’s not much harder. It just requires generating a hash and constructing a script tag.
For BootstrapCDN FilesAt BootstrapCDN we already included the SRI hash for you. Just hop on our main page, and copy-paste the HTML tag of your favorite asset into the HTML source of your website. After doing this you’re all set and your BootstrapCDN-hosted website assets are protected.
For Other FilesFire up your terminal and launch the following commands:
$ curl -s https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js | openssl dgst -sha512 -binary | openssl base64 –A 2e8qq0ETcfWRI4HJBzQiA3UoyFk6tbNyG+qSaIBZLyW9Xf3sWZHN/lxe9fTh1U45DpPf07yj94KsUHHWe4Yk1A==Then construct your own <script> tag with the output of the commands:
<script src=” https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js” integrity=”sha512-2e8qq0ETcfWRI4HJBzQiA3UoyFk6tbNyG+qSaIBZLyW9Xf3sWZHN/lxe9fTh1U45DpPf07yj94KsUHHWe4Yk1A==” crossorigin=”anonymous”>If you have no access to a terminal, try out the SRI hash generators online at srihash.org and report-uri.io. And if you're a website developer, you can implement SRI hashing into your automated workflow with Grunt, Gulp, Broccoli, Webpack and Handlebars plugins. WordPress users may prefer the plugin that adds the hash automatically to third-party assets. Finally, don't forget to check whether SRI is correctly implemented by scanning your website for SRI hashes with sritest.io (now open source).
- Mozilla Developers on Subresource Integrity
- A CDN that cannot XSS you – Using Subresource Integrity
- GitHub implements SRI
- What if China went all GitHub on your website?