Subresource Integrity: How to show only warning but not block resource?
Subresource Integrity: How to show only warning but not block resource?
Secure approach
If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.
微软提供的是asp-fallback-test 最后的生成效果是
<script src="https://cdn.bootcdn.net/ajax/libs/axios/0.19.2/axios.min.js" integrity="sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJa+tWrYMlYPM00u" crossorigin="anonymous"></script>
<script>(window.axios||document.write("\u003Cscript src=\u0022/lib/axios/dist/axios.min.js\u0022 integrity=\u0022sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJa\u002BtWrYMlYPM00u\u0022 crossorigin=\u0022anonymous\u0022\u003E\u003C/script\u003E"));</script>"\u003Cscript src=\u0022/lib/axios/dist/axios.min.js\u0022 integrity=\u0022sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJa\u002BtWrYMlYPM00u\u0022 crossorigin=\u0022anonymous\u0022\u003E\u003C/script\u003E"
通过https://coderstoolbox.net/string/#!encoding=js&action=decode&charset=utf_8 进行decode,得到
"<script src="/lib/axios/dist/axios.min.js" integrity="sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJa+tWrYMlYPM00u" crossorigin="anonymous"></script>"
Handling load error within subresource integrity check
回答1
Take a look at this implementation of SRI-fallback:
https://github.com/cyph/sri-fallback
回答2
You can check if the loaded resource is present and load a fallback local copy:
<script src="https://code.jquery.com/jquery-1.12.0.min.js" integrity="sha256-Xxq2X+KtazgaGuA2cWR1v3jJsuMJUozyIXDB3e793L8=" crossorigin="anonymous"></script>
<script>
if (!window.jQuery) {
var script = document.createElement('script');
script.src = '/local-resources/js/jquery-1.12.0.min.js';
script.async = false;
document.head.appendChild(script);
}
</script>
作者:Chuck Lu GitHub |
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· 没有源码,如何修改代码逻辑?
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
2020-09-22 What is an example of the Liskov Substitution Principle?
2020-09-22 Data Science Bootcamp
2020-09-22 How to POST using HTTPclient content type = application/x-www-form-urlencoded
2020-09-22 C# HttpWebRequest of type “application/x-www-form-urlencoded” - how to send '&' character in content body?
2020-09-22 How can I supply an AntiForgeryToken when posting JSON data using $.ajax?
2016-09-22 使用entityframework操作sqlite数据库
2016-09-22 excel在一个图表内,显示折线图和柱状图