Please add SRI checking to the loading of jquery from both google and from jquery direct. This adds an additional level of security to this module but is not necessary for it's function.
Description as follows,

Copied from Netsparker:
Subresource Integrity (SRI) provides a mechanism to check integrity of the resource hosted by third parties like Content Delivery Networks (CDNs) and verifies that the fetched
resource has been delivered without unexpected manipulation.
SRI does this using hash comparison mechanism. In this way, hash value declared in HTML elements (for now only script and link elements are supported) will be compared with the hash value of the
resource hosted by third party.
Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source.

https://www.w3.org/TR/SRI/
https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/
https://speakerdeck.com/jdorfman/web-application-security-with-subresour...

Comments

coolestdude1 created an issue. See original summary.

markcarver’s picture

Priority: Minor » Normal
Status: Active » Postponed
Related issues: +#2852350: [jquery_update] 7.x-3.0 stable release

I'm really not sure how this will be possible since core handles the actual construction of those script tags with no way to actually add SRI attributes to them.