Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Please add SRI checking to the loading of jquery from both google and from jquery direct. This adds an additional level of security to this module but is not necessary for it's function.
Description as follows,
Copied from Netsparker:
Subresource Integrity (SRI) provides a mechanism to check integrity of the resource hosted by third parties like Content Delivery Networks (CDNs) and verifies that the fetched
resource has been delivered without unexpected manipulation.
SRI does this using hash comparison mechanism. In this way, hash value declared in HTML elements (for now only script and link elements are supported) will be compared with the hash value of the
resource hosted by third party.
Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source.
https://www.w3.org/TR/SRI/
https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/
https://speakerdeck.com/jdorfman/web-application-security-with-subresour...
Comments
Comment #2
markhalliwellI'm really not sure how this will be possible since core handles the actual construction of those script tags with no way to actually add SRI attributes to them.
Comment #3
markhalliwellThis likely won't be able to be done until at least the CDN stuff is sorted.
It also likely won't work "out-of-the-box" except with newer core versions once #1664602: Allow attributes to be passed to drupal_add_[css|js] (SRI) is committed.
Alternatively, using something like https://www.drupal.org/project/advagg could help add this functionality (it implements its own version of the above core patch).
Comment #4
mcdruidSee #3312045: Plan for jQuery Update 7.x-4.0 release.
FWIW I think that SRI would be great, but I'm not sure we'll be adding it in jQuery Update.