SRI is a new W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source.
Learn more about how to use subresource integrity on MDN.
TLS ensures that the connection between the browser and the server is secure. The resource itself may still be modified server-side by an attacker to include malicious content, yet still be served with a valid TLS certificate. SRI, on the other hand, guarantees that a resource hasn't changed since it was hashed by a web author.
Use the generator above or the following shell command:
openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A
When the request is not on the same origin the
crossorigin attribute must be present to check the integrity of the
crossorigin attribute, the browser will choose to 'fail-open' which
means it will load the resource as if the integrity attribute was not set, effectively losing all the security SRI brings in the first place.
crossorigin="anonymous" results that no credentials are sent to the cross-origin site hosting the content. However,
it will send an
Origin HTTP header. If the server denies including the resource (by not setting the
Access-Control-Allow-Origin HTTP header),
the resource will not be used by the browser.
You can find more information on MDN.
Check out SRI on caniuse.com to see specific browser version support information.
To fully test your browser for subresource integrity support, please open this page.
Your browser supports SRI
Your browser does not support SRI