HTML中的integrity属性的目的是什么? [英] What is the purpose of the integrity attribute in HTML?
问题描述
我在bootstrap的网站上,我最近注意到他们的CDN链接包含一个带有SHA-384密钥的完整性属性。
I was on bootstrap's site, and I recently noticed that their CDN links contained an integrity attribute with an SHA-384 key.
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
我认为这是一种验证脚本源的方法,但更多我想知道如何它是否已被使用,如果这是任何规范的一部分?
I assume that is meant to be a way to verify the script source, but moreso I was wondering how it's used and if this is part of any spec?
此外,这仅适用于脚本src还是可以与任何非同源源一起使用?
Furthermore, does this only work with script src's or can it work with any non-same-origin source?
推荐答案
检查一下:
https://developer.mozilla.org/en/docs/Web/HTML/Element/script
使用内容交付网络(CDN)来托管多个站点之间共享的脚本和样式表等文件可以提高站点性能并节省带宽。但是,使用CDN还存在风险,因为如果攻击者获得对CDN的控制权,攻击者可以将任意恶意内容注入CDN上的文件(或完全替换文件),从而也可能攻击所有获取的网站来自该CDN的文件。
Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.
通过确保Web应用程序或Web文档获取的文件(来自),Subresource Integrity功能可以降低此类攻击的风险CDN或任何地方)已经交付,而第三方没有在这些文件中注入任何其他内容 - 并且没有对这些文件进行任何其他类型的更改。
The Subresource Integrity feature enables you to mitigate the risk of attacks such as this, by ensuring that the files your Web application or Web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.
在这里阅读更多内容:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
这篇关于HTML中的integrity属性的目的是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
