Tuesday, January 12, 2016

Subresource Integrity

TinFoil Security on Subsource Integrity

W3C chat between Joel Weinberger from Chromium and Gervase Markham from Mozilla talking about Subresource Integrity

I've no idea whether this is something a website owner can implement on his or her own. Does it need the cooperation of the asset provider?

The only outside assets I uses are Google fonts. I asked Nik Black from Tinfoil Security, and he answered this way:

The webmaster can calculate the hash independent of the asset provider yes, we usually recommend https://www.srihash.org/ but it looks like they don't handle the Google web font resources correctly. Subresource Integrity Protection is still relatively new, so support for it is still catching up.

No comments:

Post a Comment

Post a comment and start a conversation...