Shulou(Shulou.com)06/02 Report--

This article describes in detail the corresponding analysis and solutions to the question of how Javascript uses the integrity attribute for security verification, hoping to help more partners who want to solve this problem to find a simpler and easier way.

I. introduction of script tags into files

In html, the script tag can introduce a js file through the src attribute, and the imported js file can be local or remote.

1. Import local files

Local js files are generally introduced into the development environment.

two。 Introduce remote files

After being deployed online, it is generally distributed to cdn, and remote files need to be introduced, such as:

There is just a problem with the introduction of remote files, which may affect users if the corresponding files are tampered with. Although cdn is generally reliable, it does not rule out attacks by hackers.

In this case, security verification can be done through the attribute integrity of the script tag.

Integrity security verification

The integrity attribute setting introduces the hash value of the js file. When downloading the js file, the browser will hash the js file. If it is consistent, it will load normally, otherwise it will refuse to load and run.

It looks like:

2. Examples

3. Introducing cdn resources from vue

For example, we want to introduce the cdn resources of vue:

Https://unpkg.com/vue@3.0.5/dist/vue.global.js

Hash values can be generated through https://www.srihash.org/.

Integrity generates hash values

Integrity generates hash values

Finally, add the value of integrity to the script tag.

4. Verify that it is normal

Because the cdn resource is introduced, it cannot be modified directly, but if you modify the value of integrity, if you modify the value of integrity, the browser will eventually report the following error:

Failed to find a valid digest in the 'integrity' attribute for resource' https://unpkg.com/vue@3.0.5/dist/vue.global.js' with computed SHA-256 integrity' Wr5PnkpmZ3oQFRZLfDrI6fsePSMak5h8rW2rqq+mdWg='. The resource has been blocked.

It means that the hash value of the cdn file does not match the integrity value.

This is the answer to the question about how Javascript uses the integrity attribute for security verification. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.