Skip to main content
O
osgood_
Legend
January 15, 2017
Answered

Monstrosity links???

  • January 15, 2017
  • 2 replies
  • 1765 views

Just for laughs can anyone inform me why we are now being fed monstrosity links like below?

<script src="https://code.jquery.com/jquery-3.1.1.js" integrity="sha256-16cdPddA6VdVInumRGo6IbivbERE8p7CQR3HzTBuELA=" crossorigin="anonymous"></script>

Instead of:

<script src="https://code.jquery.com/jquery-3.1.1.js"></script>

I assume they must serve some kind of purpose.

Os

    This topic has been closed for replies.
    Correct answer Nancy OShea

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    2 replies

    pziecina
    pziecina
    Legend
    January 15, 2017

    One other thing that Nancy did not mention -

    Browsers are starting to implement 'warnings' about any scripts that are from a different server than the original, without the 'integrity/origin' attribute. This is how they are 'behind the scenes' implementing html5 ad blocking.

    Nancy OShea
    Community Expert
    Nancy OSheaCommunity ExpertCorrect answer
    Community Expert
    January 15, 2017

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    Nancy O'Shea— Product User & Community Expert
    O
    osgood_Author
    Legend
    January 15, 2017

    This still works, without all the garbage, whats the risk to me?

    <script src="https://code.jquery.com/jquery-3.1.1.js"></script>

    O
    osgood_Author
    Legend
    January 15, 2017

    Sure it still works.  But if jQuery CDN is hacked and all the scripts are replaced with malicious code -- even temporarily (it can happen), then you and anyone else who visits your site is potentially at risk for receiving malicious code.

    INTEGRITY checks with hashing diminish that risk.

    IMO it's negligent not to use it.

    Nancy


    Nancy OShea wrote:

    Sure it still works. But if jQuery CDN is hacked and all the scripts are replaced with malicious code -- even temporarily (it can happen), then you and anyone else who visits your site is potentially at risk for receiving malicious code.

    INTEGRITY checks with hashing diminish that risk.

    IMO it's negligent not to use it.

    Nancy

    I just loathe all this garbage being injected into the code. That's why I hate stuff like Wordpress, Bootstrap etc etc. I'll house the scripts myself - no-one  is going to hack my sites - it seems the CND hosted script providers now believe, for some reason, there is a good possibility of being hacked so hackers MUST be trying it all the time otherwise they would not have recently introduce this.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices