webperf-core is an open-source testing suite tailored to help you improve your digital presence in areas like web performance, security and accessibility to email best practice using many small improvements.
This PR implements basic Subresource Integrity (SRI) validation for websites being tested using HTTP & Network Test.
How it works:
It checks if any request are being loaded using script or link element that is using an external domain, If not, you are compliant.
If you use external domain, we check if you use integrity attribute or not.
If you use integrity attribute we also check that you are using it in the correct way.
Calculation of rating:
You get 5.0 points if you are SRI compliant.
You get 3.0 points if you are using integrity attribute in a wrong way somewhere.
You get 1.0 points if you load external resources without SRI.
Background:
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.
Subresource Integrity enables you to mitigate some risks of attacks such as this, by ensuring that the files your web application or web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.
This PR implements basic Subresource Integrity (SRI) validation for websites being tested using HTTP & Network Test.
How it works:
Calculation of rating:
You get 5.0 points if you are SRI compliant. You get 3.0 points if you are using integrity attribute in a wrong way somewhere. You get 1.0 points if you load external resources without SRI.
Background:
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.
Subresource Integrity enables you to mitigate some risks of attacks such as this, by ensuring that the files your web application or web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.