<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Implement Subresource Integrity (SRI)"

   href="https://bugs.webkit.org/show_bug.cgi?id=148363">148363</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Implement Subresource Integrity (SRI)

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>https://w3c.github.io/webappsec/specs/subresourceintegrity/

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebKit Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>mike&#64;w3.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>The SRI specification &quot;defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation&quot; using a validation scheme and &quot;extending several HTML elements with an integrity attribute that contains a cryptographic hash of the representation of the resource the author expects to load.&quot; <a href="http://w3c.github.io/webappsec/specs/subresourceintegrity/">http://w3c.github.io/webappsec/specs/subresourceintegrity/</a>

Example: If a document loads some JavaScript library code from a shared server at <a href="https://example.com/example-framework.js">https://example.com/example-framework.js</a> rather than from the same own origin as the document, the document can specify the expected SHA-256 hash of <a href="https://example.com/example-framework.js">https://example.com/example-framework.js</a> (e.g., C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=) and the UA, before executing the JavaScript, can verify that the data matches that expected hash.

&lt;script src=&quot;<a href="https://example.com/example-framework.js">https://example.com/example-framework.js</a>&quot;

        integrity=&quot;sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=&quot;

        crossorigin=&quot;anonymous&quot;&gt;&lt;/script&gt;

The mechanism can also be used for resources loaded through &lt;link&gt; elements.

As far as support in other UAs, Chrome has supported Subresource Integrity since v45, and Firefox has since v43. <a href="https://developer.mozilla.org/en/docs/Web/HTML/Element/script#Browser_compatibility">https://developer.mozilla.org/en/docs/Web/HTML/Element/script#Browser_compatibility</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>