So what are all those Integrity and Crossorigin attributes you commonly find with script link tags? Well, these are used as an added layer of security over how to load scripts that can be controlled explicitly by the web developer.
<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha256-CjSoeELFOcH0/uxWu6mC/Vlrc1AARqbm/jiiImDGV3s=" crossorigin="anonymous"></script>
Here is the breakdown of what these attributes do.
Subresource Integrity (SRI)
SRI is a new W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been tampered with. It is highly recommended that one uses SRI as a best practice, whenever libraries are loaded from third-party sources.
The Integrity attribute defines the hash value of a resource loaded from a third-party source that has to match in order for the browser to execute it.
This is an important attribute because there is always the risk of attackers modifying resources on the server which can get loaded and executed on the end -users’ browser.
Cross-Origin Resource Sharing (CORS)
This is a feature that uses additional HTTP headers to tell a web browser to let a web application running at one origin (usually a domain) have permission to access selected resources from a server at a different origin (domain).
The possible values are use-credentials
and anonymous
.
You can find out more about Subresource Integrity from here and details about Cross-Origin Resource Sharing can be found here.
Found this article interesting? Follow Brightwhiz on Facebook, Twitter, and YouTube to read and watch more content we post.