Skip to main content
O
osgood_
Legend
January 15, 2017
Answered

Monstrosity links???

  • January 15, 2017
  • 2 replies
  • 1765 views

Just for laughs can anyone inform me why we are now being fed monstrosity links like below?

<script src="https://code.jquery.com/jquery-3.1.1.js" integrity="sha256-16cdPddA6VdVInumRGo6IbivbERE8p7CQR3HzTBuELA=" crossorigin="anonymous"></script>

Instead of:

<script src="https://code.jquery.com/jquery-3.1.1.js"></script>

I assume they must serve some kind of purpose.

Os

    This topic has been closed for replies.
    Correct answer Nancy OShea

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    2 replies

    pziecina
    pziecina
    Legend
    January 15, 2017

    One other thing that Nancy did not mention -

    Browsers are starting to implement 'warnings' about any scripts that are from a different server than the original, without the 'integrity/origin' attribute. This is how they are 'behind the scenes' implementing html5 ad blocking.

    Nancy OShea
    Community Expert
    Nancy OSheaCommunity ExpertCorrect answer
    Community Expert
    January 15, 2017

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    Nancy O'Shea— Product User & Community Expert
    O
    osgood_Author
    Legend
    January 15, 2017

    This still works, without all the garbage, whats the risk to me?

    <script src="https://code.jquery.com/jquery-3.1.1.js"></script>

    Rob Hecker2
    Rob Hecker2
    Legend
    January 15, 2017

    Rob Hecker2 wrote:

    Well Ive been doing this for what 12 years now and none of my sites have thus far been hacked......so I'll take my chances.

    Then you should take a look at your server logs some time.

    I know that my server is subjected to thousands to attack attempts every day. They are of all kinds. I am very paranoid about security because I am terrified of an attack that I can't solve by myself, and have to pay the server farm staff to resolve.

    I dont really have any sites that I cant re-built in a few minutes. I don't have my own servers like you do beacuse I dont want the added worry of them being attacked or going t*ts up. I'm a web developer first and foremost, not a server technician or protector. I would hope that the hosting companies that I use have some kind of protection against attacks, so I'm happy with that.


    The only times I was successfully hacked was when I used shared hosting. That was maybe six years ago. I was using network solutions and twice their FTP server was breached. Oh, and at about the same time another client was using Dreamhost and they were hacked two or three times.

    Since I've been using a VPS, no problems, but largely because I have paid a lot of attention to server security. Knock on wood!

    When my client websites go down, they stop making money, which makes them chase after poor me with pitch forks.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices