Subresource integrity

A new feature in Google Chrome 45 is the ability to add meta data inline to <script> and <link rel=”stylesheet”> elements which will allow the browser to determine if the resource which has been downloaded is the same as the author intended.

This is done by adding integrity  metadata to the element inline such as:

<link rel=”stylesheet” href=”this_is_verified.css” integrity=”sha256-qvuZLpjL9TNV6yI1kNdGCPnSTrWM6Y0ILEzzyvA9hGY=”>

You would generate the base64 encoded version of the SHA256 hash with the following command:

cat this_is_verified.css| openssl dgst -sha256 -binary | openssl enc -base64 -A

If the hash doesn’t match the file and the integrity is compromised the browser will not load the resource.

This is currently in development for Firefox as well, though no news on Edge or Safari for implementation.

Leave a Reply

Your email address will not be published. Required fields are marked *