Preventing XSS with Subresource Integrity
Today I got around to reading about a new W3C draft standard: Subresource Integrity – the standard is a product of efforts by Google, Dropbox, and Mozilla. To paraphrase the abstract, it defines a mechanism by which web browsers can check that their static files (js, css, images) haven’t been hijacked.
The idea is pretty basic: websites can now include a cryptographic checksum alongside their imports. For example,
<script src="http://mycdn.com/somescript.js" integrity="sha512-EkldfklaeoqpfjqlkfFkdqp4qkfp220fjksQovjfqklj="></script>
Browsers that support this will look at the checksum and calculate it for the static file. If they don’t match, no XHR request will be made for the resource.