|
|
|
|
|
|
by anglebracket
4521 days ago
|
|
|
> Perhaps it's about time we had a way to specify the hash of <script> source inline so browsers can serve files from cache even if they are from different origins A spec for just that was recently proposed[0], it even has support for a "canonical" script to be used in the event of that the hash check fails. The good news is a polyfill for this can probably be created today. If CDNs serve their JS with the proper CORS headers, you can request the JS with cross-domain XHR and check it against a hash before eval()ing the script. The bad news is that the polyfill would require you to allow `unsafe-eval` if you use Content-Security-Policy headers. Depending on your security model, it'd probably be best to host all your resources yourself. Not to mention that using a hash function written in javascript might negate any performance gains. [0]: http://w3c.github.io/webappsec/specs/subresourceintegrity/ |
|
|