HTML 中完整性属性的用途是什么?
What is the purpose of the integrity attribute in HTML?
我在 bootstrap 的网站上,我最近注意到他们的 CDN 链接包含一个带有 SHA-384 密钥的完整性属性。
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
我认为这是一种验证脚本源的方法,但我还想知道它是如何使用的,以及它是否属于任何规范的一部分?
此外,这是否仅适用于脚本 src,还是适用于任何非同源源?
检查这个:
https://developer.mozilla.org/en/docs/Web/HTML/Element/script
Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.
The Subresource Integrity feature enables you to mitigate the risk of attacks such as this, by ensuring that the files your Web application or Web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.
在此处阅读更多内容:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
我在 bootstrap 的网站上,我最近注意到他们的 CDN 链接包含一个带有 SHA-384 密钥的完整性属性。
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
我认为这是一种验证脚本源的方法,但我还想知道它是如何使用的,以及它是否属于任何规范的一部分?
此外,这是否仅适用于脚本 src,还是适用于任何非同源源?
检查这个:
https://developer.mozilla.org/en/docs/Web/HTML/Element/script
Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.
The Subresource Integrity feature enables you to mitigate the risk of attacks such as this, by ensuring that the files your Web application or Web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.
在此处阅读更多内容:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity