Enabling Subresource Integrity for Rainforest
Whats the point? To make sure the code you request is the code you’re running.
We’ve started by just implementing it on our own resources by adding a few lines to our deployment script, plus a couple of extra attributes to our script tags.
As we’re not yet completely static apart from the API, we set an environment variable on our Rails app, letting it know the right SRI hash, plus the build location for the latest code:
The env var is then used to generate some HTML:
crossorigin is set to
anonymous, meaing that no cookies or other auth is shared with the subresource.
How to implement SRI in three steps
- cat the file to be hashed to openssl:
- make the digest (can be sha 256 / 384 / 512, we use 384 as it’s a sane length):
openssl dgst -sha384 -binary
- base64 encode the binary sha:
openssl enc -base64 -A