Frontend Scrapbook

Notes that make a difference

Securing 3rd party scripts

By admin

on Mon Aug 17 2020

Recommendations are

Reproducible builds, with a lockfile

Use LTS versions where you care less about bleeding edge features

Tests that assert only expected requests are sent out

Use Subresource Integrity attributes on script and link tags

<script integrity=“sha256-oqVuAP” crossorigin=“anonymous” src=“core.js”></script>

crossorigin=“anonymous” means do not send over cookies with request.

Hash value is generated from the content of file. SRI helps you to have control over the third party libraries from changing. When change happens, update the the SRI hash.