Implement Subresource Integrity

Originator:DanFabulich
Number:rdar://30609889 Date Originated:2017-02-20
Status:Duplicate of 18945879 Resolved:
Product:Safari Product Version:
Classification:Feature (New) Reproducible:Not Applicable
 
https://bugs.webkit.org/show_bug.cgi?id=148363

The SRI specification "defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation" using a validation scheme and "extending several HTML elements with an integrity attribute that contains a cryptographic hash of the representation of the resource the author expects to load." http://w3c.github.io/webappsec/specs/subresourceintegrity/

Example: If a document loads some JavaScript library code from a shared server at https://example.com/example-framework.js rather than from the same own origin as the document, the document can specify the expected SHA-256 hash of https://example.com/example-framework.js (e.g., C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=) and the UA, before executing the JavaScript, can verify that the data matches that expected hash.

<script src="https://example.com/example-framework.js"
        integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg="
        crossorigin="anonymous"></script>

The mechanism can also be used for resources loaded through <link> elements.

As far as support in other UAs, Chrome has supported Subresource Integrity since v45, and Firefox has since v43. https://developer.mozilla.org/en/docs/Web/HTML/Element/script#Browser_compatibility

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!