Integrity protection for third-party JavaScript

Integrity protection for third-party JavaScript

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.

This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.


Francois Marier

February 27, 2015