Skip to main content
O
osgood_
Legend
January 15, 2017
Answered

Monstrosity links???

  • January 15, 2017
  • 2 replies
  • 1765 views

Just for laughs can anyone inform me why we are now being fed monstrosity links like below?

<script src="https://code.jquery.com/jquery-3.1.1.js" integrity="sha256-16cdPddA6VdVInumRGo6IbivbERE8p7CQR3HzTBuELA=" crossorigin="anonymous"></script>

Instead of:

<script src="https://code.jquery.com/jquery-3.1.1.js"></script>

I assume they must serve some kind of purpose.

Os

    This topic has been closed for replies.
    Correct answer Nancy OShea

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    2 replies

    pziecina
    pziecina
    Legend
    January 15, 2017

    One other thing that Nancy did not mention -

    Browsers are starting to implement 'warnings' about any scripts that are from a different server than the original, without the 'integrity/origin' attribute. This is how they are 'behind the scenes' implementing html5 ad blocking.

    Nancy OShea
    Community Expert
    Nancy OSheaCommunity ExpertCorrect answer
    Community Expert
    January 15, 2017

    Yes. it's important.  It's called an INTEGRITY attribute and it's there in case the CDN is ever  hacked or goes malicious.

    Integrity is a flag that can be included in script-tags that specify the hash of an accepted script.   If the script on the server does not match the hash,  the end user’s web browser will reject it  This reduces potential risk for everyone.   These days, very important.

    Crossorgin is also required for Integrity checking.  It stops credentials from being sent with the request.

    Nancy

    Nancy O'Shea— Product User & Community Expert
    O
    osgood_Author
    Legend
    January 15, 2017

    This still works, without all the garbage, whats the risk to me?

    <script src="https://code.jquery.com/jquery-3.1.1.js"></script>

    O
    osgood_Author
    Legend
    January 16, 2017

    I would hope that the hosting companies that I use have some kind of protection against attacks

    Unfortunately, shared web hosting has to be lax about security, otherwise their support staff will be overwhelmed by customers who are locked out or blocked from doing what they want to do.

    Also, a lot of the security I focus on is the kinds of stuff that is under your control as a developer, such as controls within CMS admin systems (I don't allow customers to add javascript or anything but simple html and css), strong form validation and sanitation.


    Rob Hecker2 wrote:

    I would hope that the hosting companies that I use have some kind of protection against attacks

    Unfortunately, shared web hosting has to be lax about security, otherwise their support staff will be overwhelmed by customers who are locked out or blocked from doing what they want to do.

    All I can say is I've not experience any hacking issues in the 12 or maybe more years I've been producing websites and Ive used a variety of hosts over that time. Issues with servers unrelated to hacking, yes, plenty. Even if one of my clients sites gets hacked its not a major problem as I can rebuild it in matter of minutes. The kind of clients I have are the ones that mostly don't update the websites themselves even though they have access to a cms to change selected areas of it.

    Generally I inform those clients that want to update their own website they need to back-up their own database as I cannot be bothered myself because there is little or no financial return in playing bodyguard in those circumstances. Those clients that let me do the updates I backup their database and so does the web-host. Its always a risk when using technology which can be beyond your control or technology which can be complex, needing an expert to intervene at times.

    I prefer to just concentrate on the developing as I have enough on my plate just keeping pace with that. I'm not really interested in the server administration side as I dont understand the inner workings of it and neither do I have any compelling desire to do so.

    Personally I would not want to put myself in the situation where I was responsible for the up-keep of a server because things do happen and I would lose too much sleep worrying about it. I dont know if the financial rewards in doing so out-weight that concern.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices