Skip to content

Manjula Dube

Be aware of using unauthenticated javascript on web pages

webaccessibility, accessibility1 min read

Often we fetch lot of third party libraries from the cdn in our web app(for example bootstrap,jquery etc).

Have you ever encountered an error ?

So this usually happens when you try to load some third party libraries via cdn and the integrity value doesn't match.

~What does that mean~ ??

For example:

~Lets understand it bit better~

The integrity and crossorigin attributes are used for Subresource Integrity (SRI) checking. This allows browsers to ensure that resources hosted on third-party servers have not been modified in anyway. Use of SRI is recommended as a best-practice, whenever libraries are being loaded from a third-party source. If the script or stylesheet doesn’t match its associated integrity value, the browser would refuse to execute the script or apply the stylesheet and would console and integrity error.

  • The integrity attribute is a content verification. It confirms that the content being loaded is the same as what you intended .This also gives you an assurity that fetched resource has been delivered without unexpected manipulation(which could otherwise happen by an attacker)

  • The fact that it is blocking the load would indicate that it does not match. Did you perhaps change the version but kept the same integrity value? If yes please fix that

What could be the problem if you don't fix it ?

If your script has no integrity attribute, and is third party library, there might be a point that attacker might attack the third party page and change its javascript and css, inorder to obtain some valuable information.

Here's a nice article for more details

If you want to read more about Subresource Integrity and its importance