twitter-bootstrap HTML 中完整性属性的用途是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/34429024/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the purpose of the integrity attribute in HTML?
提问by Emma Ramirez
I was on bootstrap's site, and I recently noticed that their CDN links contained an integrity attribute with an SHA-384 key.
我在引导程序的站点上,最近我注意到他们的 CDN 链接包含一个带有 SHA-384 密钥的完整性属性。
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
I assume that is meant to be a way to verify the script source, but moreso I was wondering how it's used and if this is part of any spec?
我认为这是一种验证脚本源的方法,但更多的是我想知道它是如何使用的,以及这是否是任何规范的一部分?
Furthermore, does this only work with script src's or can it work with any non-same-origin source?
此外,这仅适用于脚本 src 还是可以与任何非同源源一起使用?
回答by Dray
check this :
检查这个:
https://developer.mozilla.org/en/docs/Web/HTML/Element/script
https://developer.mozilla.org/en/docs/Web/HTML/Element/script
Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.
The Subresource Integrity feature enables you to mitigate the risk of attacks such as this, by ensuring that the files your Web application or Web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.
使用内容交付网络 (CDN) 托管在多个站点之间共享的脚本和样式表等文件可以提高站点性能并节省带宽。但是,使用 CDN 也有风险,如果攻击者获得了 CDN 的控制权,攻击者可以将任意恶意内容注入 CDN 上的文件(或完全替换文件),从而也可能攻击所有获取来自该 CDN 的文件。
子资源完整性功能使您能够降低此类攻击的风险,方法是确保您的 Web 应用程序或 Web 文档(从 CDN 或任何地方)获取的文件已经交付,而没有第三方将任何附加内容注入这些文件中。文件——并且根本没有对这些文件进行任何其他更改。
Read more here :
在这里阅读更多:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
回答by Tanmay
Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.
使用内容交付网络 (CDN) 托管在多个站点之间共享的脚本和样式表等文件可以提高站点性能并节省带宽。但是,使用 CDN 也有风险,如果攻击者获得了 CDN 的控制权,攻击者可以将任意恶意内容注入 CDN 上的文件(或完全替换文件),从而也可能攻击所有获取来自该 CDN 的文件。
The Subresource Integrity feature enables you to mitigate the risk of attacks such as this, by ensuring that the files your Web application or Web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.
子资源完整性功能使您能够降低此类攻击的风险,方法是确保您的 Web 应用程序或 Web 文档(从 CDN 或任何地方)获取的文件已经交付,而没有第三方将任何附加内容注入这些文件中。文件——并且根本没有对这些文件进行任何其他更改。
Using Subresource IntegrityEDIT
You use the Subresource Integrity feature by specifying a base64-encoded cryptographic hash of a resource (file) you're telling the browser to fetch, in the value of the integrity attribute of any <script>or <link>element.
使用子资源完整性编辑
您可以通过在 any<script>或<link>元素的完整性属性值中指定要让浏览器获取的资源(文件)的 base64 编码加密哈希来使用子资源完整性功能。
An integrity value begins with at least one string, with each string including a prefix indicating a particular hash algorithm (currently the allowed prefixes are sha256, sha384, and sha512), followed by a dash, and ending with the actual base64-encoded hash.
完整性值以至少一个字符串开头,每个字符串包含一个前缀,指示特定的哈希算法(当前允许的前缀为 sha256、sha384 和 sha512),后跟一个破折号,并以实际的 base64 编码哈希结束。
An integrity value may contain multiple hashes separated by whitespace. A resource will be loaded if it matches one of those hashes.
Example integrity string with base64-encoded sha384 hash:
一个完整性值可能包含多个由空格分隔的散列。如果资源与这些散列之一匹配,则将加载该资源。
带有 base64 编码的 sha384 哈希的完整性字符串示例:
sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC
An integrity value's “hash” part is, strictly speaking, a cryptographic digest formed by applying a particular hash function to some input (for example, a script or stylesheet file). But it's common to use the shorthand hash to mean cryptographic digest, so that's what's used in this article.
sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC
严格来说,完整性值的“散列”部分是通过将特定示例文件、某个脚本或(某些样式的)散列函数应用于特定示例文件而形成的加密摘要。但是使用速记散列来表示加密摘要是很常见的,所以这就是本文中使用的内容。
For more Information:Link
更多信息:链接
回答by Imran Ahmad
Subresource Integrity defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation reference
子资源完整性定义了一种机制,用户代理可以通过该机制验证获取的资源是否已在没有意外操作引用的情况下交付
Integrity attribute is to allow the browser to check the file source to ensure that the code is never loaded if the source has been manipulated.
Integrity 属性是为了让浏览器可以检查文件源,以确保如果源已被操纵,则永远不会加载代码。
Crossorigin attribute is present when a request is loaded using 'CORS' which is now a requirement of SRI checking when not loaded from the 'same-origin'. More info on crossorigin
当使用“CORS”加载请求时,Crossorigin 属性存在,这现在是当不是从“同源”加载时 SRI 检查的要求。有关跨域的更多信息
More detail on Bootstrap CDNs implementation is here
关于 Bootstrap CDN 实现的更多细节在这里
