Subresource Integrity is an awesome security feature that allows us to ensure that assets served by a CDN haven't been tampered with. Now, thanks to a new directive in CSP, we can ensure that SRI is used across our site.
In short, SRI allows us to embed the hash of a script or style into the tag on our page. When the browser then fetches the asset it will hash it and compare the hash against the one in the script or link tag. If they match then we know the file is the one we expected. If it doesn't match we know it's been tampered with and the browser will discard it. You can read more about SRI on my blog, Subresource Integrity: Securing CDN loaded assets.
Enforcing the use of SRI
SRI is great, and everyone should be using it, but the problem is that we can't check that SRI is in use across our site, nor enforce the use of it. Until now!
A new directive is being added to Content Security Policy that will give a site the ability to inform a browser that all scripts and/or styles should be protected by SRI. The directive is quite sensibly named and really easy to deploy.
Content-Security-Policy: require-sri-for script style
That's all there is to it! The browser will now check to make sure that every script or style on your page has the SRI integrity data supplied like so.
<script src="example.com/file.js" crossorigin="anonymous" integrity="sha256-value">
<link rel="stylesheet" href="example.com/file.css" crossorigin="anonymous" integrity="sha256-value">
Support for the new directive is coming in Chrome v54 and other browser vendors will probably follow suit shortly after. Much like other CSP directives though, you can enable the new directive now and browsers will simply start to enforce it once support is added. If they don't support the directive they will just ignore it, so get deploying! You can also read the SRI spec for information on the new directive and support has been added to report-uri.io so you can now receive CSP reports for assets not using SRI!
We just pushed a bunch of small updates out to the site. Can you spot any? pic.twitter.com/lkAktMUr7X— report-uri.io (@reporturi) December 30, 2016