Skip to main content
O
osgood_
Legend
January 15, 2017
Answered

Monstrosity links???

  • January 15, 2017
  • 2 replies
  • 1765 views

Just for laughs can anyone inform me why we are now being fed monstrosity links like below?

<script src="https://code.jquery.com/jquery-3.1.1.js" integrity="sha256-16cdPddA6VdVInumRGo6IbivbERE8p7CQR3HzTBuELA=" crossorigin="anonymous"></script>

Instead of:

<script src="https://code.jquery.com/jquery-3.1.1.js"></script>

I assume they must serve some kind of purpose.

Os

    This topic has been closed for replies.
    Correct answer Nancy OShea

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    2 replies

    pziecina
    pziecina
    Legend
    January 15, 2017

    One other thing that Nancy did not mention -

    Browsers are starting to implement 'warnings' about any scripts that are from a different server than the original, without the 'integrity/origin' attribute. This is how they are 'behind the scenes' implementing html5 ad blocking.

    Nancy OShea
    Community Expert
    Nancy OSheaCommunity ExpertCorrect answer
    Community Expert
    January 15, 2017

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    Nancy O'Shea— Product User & Community Expert
    O
    osgood_Author
    Legend
    January 15, 2017

    This still works, without all the garbage, whats the risk to me?

    <script src="https://code.jquery.com/jquery-3.1.1.js"></script>

    pziecina
    pziecina
    Legend
    January 15, 2017

    The risk is that sooner or later browsers will start to give a 'warning; message that the origin of the script cannot be confirmed, and offer the option of blocking the script, (similar to flash).

    The safer alternative, and one that is future proof, is to host the script on your own server if possible.

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices