Javascript executed even after SRI Integrity failure

Question

I have a test page on local on 9180 port, which is loading JS from another port to simulate different domain.

<html>
<head>
  <script src="http://localhost:8080/myscript.js" integrity="jRIKARJybgWRWqQslhFC5boBExY7MBLvUpMWYpuXuL1sDqCCp2Gd"></script>
</head>
<body>
  Testing SRI
</body>

myscript.js

alert('Hello');

On running this on browser, I see error on console, but alert is still fired

Error parsing 'integrity' attribute ('jRIKARJybgWRWqQslhFC5boBExY7MBLvUpMWYpuXuL1sDqCCp2Gd'). The hash algorithm must be one of 'sha256', 'sha384', or 'sha512', followed by a '-' character.

Am I missing something? Or its due to local that browser is allowing script to be executed.

score 0 · Accepted Answer · answered Mar 08 '19 at 13:40

0

Since (as the error message says) the integrity attribute value itself is invalid, the browser isn't enforcing it.

answered Mar 08 '19 at 13:40

Quentin

914,110
126
1,211
1,335

Correct, it seems I made a mistake while adding that. Also it seems the resource needs to be CORS enabled to enforce integrity check. – Sandeep Kumar Mar 08 '19 at 13:49

Javascript executed even after SRI Integrity failure

1 Answers1