Please note, this is a STATIC archive of website developer.mozilla.org from November 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Integritatea Subresursei

This translation is in progress.

Integritatea Subresursei (SRI) Este o caracteristică de securitate care le permite navigatoarelor (browserelor) să verifice fișierele pe care le accesează sau descarcă (de exemplu, de la o rețea de distribuire a conținutului CDN) dacă sunt sau nu transmise fără  manipulări neașteptate. Funcționează prin a-ți permite să furnizezi  un hash criptografic care trebuie să corespundă cu fișierul descărcat / accesat.

Cum ajută Integritatea Subresursei (Subresource Integrity)

Folosind Content Delivery Networks (CDNs) (Rețele de distribuire a conținutului) pentru a găzdui fișiere cum ar fi scripturi și stiluri css care sunt distribuite cu ajutorul mai multor site-uri poate îmbunătăți performanța site-ului și în același timp poate economisi lățimea de bandă. Totuși, folosirea rețelelor de distribuire a conținutului (CDNs)  constituie un risc inerent prin faptul că dacă un atacator preia controlul unei Rețele de Distribuire a conținutului (CDN), atacatorul poate injecta conținut malițios (dăunător)  în fișierele de pe rețeaua de distribuire a conținutului / CDN (sau să substituie fișierele în totalitate) și prin urmare există posibilitatea ca atacatorul să poată compromite toate site-urile care descarcă fișiere de pe acea Rețea de distribuire a conținutului (Content Delivery Network).

The Subresource Integrity feature enables you to mitigate the risk of attacks such as this, by ensuring that the files your Web application or Web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.

Using Subresource Integrity

You use the Subresource Integrity feature by specifying a base64-encoded cryptographic hash of a resource (file) you’re telling the browser to fetch, in the value of the integrity attribute of any <script> or <link> element.

An integrity value begins with at least one string, with each string including a prefix indicating a particular hash algorithm (currently the allowed prefixes are sha256, sha384, and sha512), followed by a dash, and ending with the actual base64-encoded hash.

An integrity value may contain multiple hashes separated by whitespace. A resource will be loaded if it matches one of those hashes.

Example integrity string with base64-encoded sha384 hash:

sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC

An integrity value’s “hash” part is, strictly speaking, a cryptographic digest formed by applying a particular hash function to some input (for example, a script or stylesheet file). But it’s common to use the shorthand hash to mean cryptographic digest, so that’s what’s used in this article.

Tools for generating SRI hashes

You can generate SRI hashes from the command-line with openssl using a command invocation such as this:

cat FILENAME.js | openssl dgst -sha384 -binary | openssl enc -base64 -A         

Additionally, the SRI Hash Generator at https://srihash.org/ is an online tool you can use to generate SRI hashes. 

Examples

In the following examples, assume that oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC is already known to be the expected SHA-384 hash (digest) of a particular script example-framework.js, and there’s a copy of the script hosted at https://example.com/example-framework.js.

Example: Subresource Integrity with the script element

You can use the following <script> element to tell a browser that before executing the https://example.com/example-framework.js script, the browser must first compare the script to the expected hash, and verify that there’s a match.

<script src="https://example.com/example-framework.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>

For more details on the purpose of the crossorigin attribute, see CORS settings attributes.

How browsers handle Subresource Integrity

Browsers handle SRI by doing the following:

  1. When a browser encounters a <script> or <link> element with an integrity attribute, before executing the script or before applying any stylesheet specified by the <link> element, the browser must first compare the script or stylesheet to the expected hash given in the integrity value.
  2. If the script or stylesheet doesn’t match its associated integrity value, then the browser must refuse to execute the script or apply the stylesheet, and must instead return a network error indicating that fetching of that script or stylesheet failed.

Specifications

Specification Status Comment
Subresource Integrity Recommendation  
Fetch Living Standard  

Browser compatibility

Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari
The integrity attribute for <script> and <link> 45.0 43 (43) No support 32 No support [1]
Feature Chrome for Android Firefox Mobile (Gecko) IE Mobile Opera Mobile Safari Mobile
The integrity attribute for <script> and <link> 45.0 43.0 (43) No support No support No support [1]

[1] WebKit bug 148363

See also

Document Tags and Contributors

 Contributors to this page: GoodHuman
 Last updated by: GoodHuman,