Subresource integrity is pretty new, it lets you as the owner of a website, specify a cryptographic digest (aka: hash) of your pages subresources like Javascript, CSS, etc.
Whats the point? To make sure the code you request is the code you’re running.
We’ve started by just implementing it on our own resources by adding a few lines to our deployment script, plus a couple of extra attributes to our script tags.
Rainforest’s front end is in its own repo, a project call Regenwald (German for Rainforest) contains all our React, Backbone and other Javascript. We use CircleCI to build and deploy everything to AWS S3.
As we’re not yet completely static apart from the API, we set an environment variable on our Rails app, letting it know the right SRI hash, plus the build location for the latest code:
The env variable is then used to generate some HTML:
Note, crossorigin is set to anonymous, meaing that no cookies or other auth is shared with the subresource.
1. cat the file to be hashed to openssl:
2. make the digest (can be sha 256 / 384 / 512, we use 384 as it’s a sane length):
3. base64 encode the binary sha: