HTML <script> integrity Attribute
Example
Link to a CDN, using both the integrity and crossorigin atributes:
<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"
integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo"
crossorigin="anonymous">
</script>
Definition and Usage
The integrity
attribute allows a browser to check the fetched script to ensure that the code is
never loaded if the source has been manipulated.
Subresource Integrity (SRI) is a W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been altered. Use of SRI is recommended!
When using SRI, the webpage holds the hash and the server holds the file (the
.js file in this case). The browser downloads the file, then checks it, to make
sure that it is a match with the hash in the integrity
attribute. If it matches,
the file is used, and if not, the file is blocked.
You can use an online SRI hash generator to generate integrity hashes: SRI Hash Generator
Browser Support
The numbers in the table specify the first browser version that fully supports the attribute.
Attribute | |||||
---|---|---|---|---|---|
integrity | 45.0 | 17.0 | 43.0 | 13.0 | 66.0 |
Syntax
<script integrity="filehash">
Attribute Values
Value | Description |
---|---|
filehash | The file hashing value of the external script file |
❮ HTML <script> tag