Whats the point? To make sure the code you request is the code you’re running.
We’ve started by just implementing it on our own resources by adding a few lines to our deployment script, plus a couple of extra attributes to our script tags.
As we’re not yet completely static apart from the API, we set an environment variable on our Rails app, letting it know the right SRI hash, plus the build location for the latest code:
The env variable is then used to generate some HTML:
Note, crossorigin is set to anonymous, meaing that no cookies or other auth is shared with the subresource.
1. cat the file to be hashed to openssl:
2. make the digest (can be sha 256 / 384 / 512, we use 384 as it’s a sane length):
3. base64 encode the binary sha: