Subresource Integrity (SRI) is a new web browser security mechanism that allows the browser to verify that a fetched resource has been delivered without manipulation. The mechanism allows web sites to specify a hash of the contents of a resource to be loaded, and the browser only loads the resource if the hash matches.
This would be a nice security feature to support in RequireJS. According to the specification, browsers throw an error upon a failed integrity check, which RequireJS would catch in its onScriptError handler. The way that RequireJS uses path fallbacks fits in nicely with how SRI would be deployed, enforcing checking a hash when fetching content from a CDN, and falling back to fetching the resource from a trusted source.
This functionality could be added in several different ways. We could build in all support for SRI directly into RequireJS, adding some extra declarative syntax to specify integrity hashes. This would involve adding a good amount of code that's specific to SRI.
Another way of implementing this functionality is by adding more simple generic functionality, allowing the client to specify an onNodeCreated hook that is supplied the node before it is injected into the DOM. This way, the client could patch in the SRI functionality by modifying the integrity attribute on the node as necessary.
I would appreciate hearing any thoughts or feedback on this proposal.
(Most of the stuff described above was previously discussed in an email thread between @devd and @jrburke, I'm tagging them to keep them updated.)
Subresource Integrity (SRI) is a new web browser security mechanism that allows the browser to verify that a fetched resource has been delivered without manipulation. The mechanism allows web sites to specify a hash of the contents of a resource to be loaded, and the browser only loads the resource if the hash matches.
This would be a nice security feature to support in RequireJS. According to the specification, browsers throw an error upon a failed integrity check, which RequireJS would catch in its
onScriptErrorhandler. The way that RequireJS uses path fallbacks fits in nicely with how SRI would be deployed, enforcing checking a hash when fetching content from a CDN, and falling back to fetching the resource from a trusted source.This functionality could be added in several different ways. We could build in all support for SRI directly into RequireJS, adding some extra declarative syntax to specify integrity hashes. This would involve adding a good amount of code that's specific to SRI.
Another way of implementing this functionality is by adding more simple generic functionality, allowing the client to specify an
onNodeCreatedhook that is supplied the node before it is injected into the DOM. This way, the client could patch in the SRI functionality by modifying theintegrityattribute on the node as necessary.I would appreciate hearing any thoughts or feedback on this proposal.
(Most of the stuff described above was previously discussed in an email thread between @devd and @jrburke, I'm tagging them to keep them updated.)