What hashing algorithms can be used for Subresource-Integrity?

Asked Dec 12 '17 at 08:29

Active Dec 12 '17 at 08:35

Viewed 206 times

My question is related to the browser support when using hashing algorithms for subresource-integrity.

Which hashing algorithms are expected to work as SRI hash in all browsers that support SRI? Or is there any browser compatibility chart available? Specification says that browsers should avoid broken algos, but there is not much info about which browser support what. Also, I cannot find list of hashing algos for the purpose.
Can SHA-3 be used for SRI hash? If so, what shall it look like? integrity="sha3-384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" or something like that? and does any browser support it yet?

edited Dec 12 '17 at 08:35

asked Dec 12 '17 at 08:29

Hamid Sarfraz

3

[*"Conformant user agents MUST support the **SHA-256, SHA-384, and SHA-512** cryptographic hash functions for use as part of a request’s integrity metadata and MAY support additional hash functions."*](https://w3c.github.io/webappsec-subresource-integrity/#hash-functions) – if you want maximum compatibility, I think this is pretty clear. – deceze Dec 12 '17 at 08:36
Thanks @deceze . What about SHA3? Is there any information about that? – Hamid Sarfraz Dec 12 '17 at 08:50
Not that the spec mentions it. – deceze Dec 12 '17 at 08:52

0 Answers0