#5076 - Subresource integrity (SRI)

By Adam Edington
Added 22nd Nov 2022, 4:44 PM
4 views

Identifier	#5076
Issue type	Feature request or suggestion
Title	Subresource integrity (SRI)
Status	Closed (rejected)
Tags	Type: Security (custom)
Handling member	Chris Graham
Addon	General / Uncategorised
Description	Recommended by W3C, secures external resources (CDN or other). Not sure if implemented in v11 but seems pretty straightforward.
Steps to reproduce
Additional information	https://en.wikipedia.org/wiki/Subresource_Integrity
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 22nd Nov 2022, 8:14 PM

It'd a good suggestion, but actually we aren't using any CDNs to static resources out of the box for reasons of privacy, reliability, and for Intranet sites to be able to work offline. Anyone who wants to code up something into HTML_HEAD to use a CDN for some JS lib (For example) can already do this (and I would advise that they do).

By Guest posted 22nd Nov 2022, 8:15 PM

There are cases where we include off-site code, like Google Translate, but we can't do integrity stuff on that as it is not static - subject to change by whim.

By Guest posted 22nd Nov 2022, 10:41 PM

Fair enough, might be worth adding to JS docs as a recommendation.

By Guest posted 23rd Nov 2022, 11:42 AM

We're just not big enough to take on the responsibility for documenting the use of web standards except for sign-posting things we have implemented or explaining how to use our own features.
To get a sense how much the corporations are spending on documenting the use of web standards, see this article: https://www.i-programmer.info/news/87-web-development/14600-mdn-plus-a-premium-service.html
It's more of responsibility of CDNs to provide embed code that has subresource integrity already setup for them.