Skip to main content
O
osgood_
Legend
January 15, 2017
Answered

Monstrosity links???

  • January 15, 2017
  • 2 replies
  • 1765 views

Just for laughs can anyone inform me why we are now being fed monstrosity links like below?

<script src="https://code.jquery.com/jquery-3.1.1.js" integrity="sha256-16cdPddA6VdVInumRGo6IbivbERE8p7CQR3HzTBuELA=" crossorigin="anonymous"></script>

Instead of:

<script src="https://code.jquery.com/jquery-3.1.1.js"></script>

I assume they must serve some kind of purpose.

Os

    This topic has been closed for replies.
    Correct answer Nancy OShea

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    2 replies

    pziecina
    pziecina
    Legend
    January 15, 2017

    One other thing that Nancy did not mention -

    Browsers are starting to implement 'warnings' about any scripts that are from a different server than the original, without the 'integrity/origin' attribute. This is how they are 'behind the scenes' implementing html5 ad blocking.

    Nancy OShea
    Community Expert
    Nancy OSheaCommunity ExpertCorrect answer
    Community Expert
    January 15, 2017

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    Nancy O'Shea— Product User & Community Expert
    O
    osgood_Author
    Legend
    January 15, 2017

    This still works, without all the garbage, whats the risk to me?

    <script src="https://code.jquery.com/jquery-3.1.1.js"></script>

    Nancy OShea
    Community Expert
    Nancy OSheaCommunity Expert
    Community Expert
    January 15, 2017

    Nancy OShea wrote:

    Sure it still works. But if jQuery CDN is hacked and all the scripts are replaced with malicious code -- even temporarily (it can happen), then you and anyone else who visits your site is potentially at risk for receiving malicious code.

    INTEGRITY checks with hashing diminish that risk.

    IMO it's negligent not to use it.

    Nancy

    I just loathe all this garbage being injected into the code. That's why I hate stuff like Wordpress, Bootstrap etc etc. I'll house the scripts myself - no-one  is going to hack my sites - it seems the CND hosted script providers now believe, for some reason, there is a good possibility of being hacked so hackers MUST be trying it all the time otherwise they would not have recently introduce this.


    Like it or not, it's the world we live in now.  Hacking attempts are far more prevalent than you may realize.  Even though the sites I run are small potatoes compared to the bigger ones, I have Secure Live monitoring on my dedicated server.  In any given week, I receive between 3-5 hacking attempt warnings.  Sometimes more.  But the system stops them and then blocks their IP.  

    Some attacks originate in Russia, some from China and some from the middle east.   It's not limited to any one regions.  So if you think you're immune, think again.    Nobody is immune.  

    Nancy

    Nancy O'Shea— Product User & Community Expert
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices