Is there any implementation or specification for including a hash or signature in an attribute of a <script> tag, so that the browser can verify that the correct file was retrieved before executing it? Something like:
<script
src="http://cdn.example.com/jquery-2001.js"
signature="sha-256/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
></script>
The motivation is this: generally, each additional CDN or host you use for your site increases your vulnerability, by adding a new target that can be hacked to compromise your site. Allowing your primary front-end servers to assert hashes or signatures of those files could entirely eliminate that risk, allowing you to be more flexible when designing your architecture. You could even request missing files from an untrusted peer-to-peer network.
I thought I remembered a specification about this, but haven't been able to find it.
This feature was proposed by the W3C as Subresource Integrity. As of December 2015, this recommendation has been implemented by Chrome 44 and Firefox 43.
EXAMPLE 1<link rel="stylesheet" href="https://site53.example.net/style.css" integrity="sha256-vjnUh7+rXHH2lg/5vDY8032ftNVCIEC21vL6szrVw9M=" crossorigin="anonymous">
There is a superficially similar feature in Content Security Policy Level 2, but it only restricts the contents of inline <script>
and <style>
elements, not external ones.