subresource integrity (SRI)

robov · October 5, 2017, 8:18am

I am loading my jquery through a CDN to increase speed, but now I want to add an additional layer of protection by adding the subresource integrity (SRI) integrity flag with a hash (like suggested here: https://www.troyhunt.com/protecting-your-embedded-content-with-subresource-integrity-sri/ )

How do I add this to my asset loading ?



                'yii&#092;web&#092;JqueryAsset' =&gt; [ 


                    'sourcePath' =&gt; null,   // do not publish the bundle


                    'js' =&gt; [ 'https://code.jquery.com/jquery-2.2.4.min.js',] 


                ],

samdark · October 5, 2017, 10:02am




'yii\web\JqueryAsset' => [ 

    'sourcePath' => null, // do not publish the bundle

    'js' => [

        [

            'https://code.jquery.com/jquery-2.2.4.min.js',

            'integrity' => 'your-hash',

            'crossorigin' => 'anonymous',

        ], 

],

robov · October 5, 2017, 10:49am

Awesome…

… but I feel stupid… how could I not find that in the manuals ?

Is it there ?

samdark · October 5, 2017, 10:34pm

It is in API docs. SRI isn’t covered explicitly but it is mentioned that you can use such format to set HTML attributes for a link and SRI is exactly that — HTML attributes.

robov · October 6, 2017, 6:26am

Thanks… next time I need to look longer and deeper for my answers…