What do Integrity and Crossorigin in HTML Script Tags Mean?

Integrity and Crossorigin in HTML

So what are all those Integrity and Crossorigin attributes you commonly find with script link tags? Well, these are used as an added layer of security over how to load scripts that can be controlled explicitly by the web developer.

<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha256-CjSoeELFOcH0/uxWu6mC/Vlrc1AARqbm/jiiImDGV3s=" crossorigin="anonymous"></script>

Here is the breakdown of what these attributes do.

Subresource Integrity (SRI)

SRI is a new W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been tampered with. It is highly recommended that one uses SRI as a best-practice, whenever libraries are loaded from third-party sources.

The Integrity attribute defines the hash value of a resource loaded from a third-party source that has to match in order for the browser to execute it.

This is an important attribute because there is always the risk of attackers modifying resources on the server which can get loaded and executed on the end -users’ browser.

Cross-Origin Resource Sharing (CORS)

This is a feature that uses additional HTTP headers to tell a web browser to let a web application running at one origin (usually a domain) have permission to access selected resources from a server at a different origin (domain).

Read Also  Unity 2020.1 Release is now Available for Immediate Use

The possible values are use-credentials and anonymous.

You can find out more about Subresource Integrity from here and details about Cross-Origin Resource Sharing can be found here.