zoukankan      html  css  js  c++  java

  • Subresource Integrity: How to show only warning but not block resource?

    Subresource Integrity: How to show only warning but not block resource?

    Secure approach

    If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.

    微软提供的是asp-fallback-test 最后的生成效果是

     <script src="https://cdn.bootcdn.net/ajax/libs/axios/0.19.2/axios.min.js" integrity="sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJa+tWrYMlYPM00u" crossorigin="anonymous"></script>
<script>(window.axios||document.write("u003Cscript src=u0022/lib/axios/dist/axios.min.jsu0022 integrity=u0022sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJau002BtWrYMlYPM00uu0022 crossorigin=u0022anonymousu0022u003Eu003C/scriptu003E"));</script>

    "u003Cscript src=u0022/lib/axios/dist/axios.min.jsu0022 integrity=u0022sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJau002BtWrYMlYPM00uu0022 crossorigin=u0022anonymousu0022u003Eu003C/scriptu003E"

    通过https://coderstoolbox.net/string/#!encoding=js&action=decode&charset=utf_8  进行decode,得到

    "<script src="/lib/axios/dist/axios.min.js" integrity="sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJa+tWrYMlYPM00u" crossorigin="anonymous"></script>"

    Handling load error within subresource integrity check

    回答1

    Take a look at this implementation of SRI-fallback:

    https://github.com/cyph/sri-fallback

    回答2

    You can check if the loaded resource is present and load a fallback local copy:

    <script src="https://code.jquery.com/jquery-1.12.0.min.js" integrity="sha256-Xxq2X+KtazgaGuA2cWR1v3jJsuMJUozyIXDB3e793L8=" crossorigin="anonymous"></script>
<script>
if (!window.jQuery) {
                var script = document.createElement('script');
                script.src = '/local-resources/js/jquery-1.12.0.min.js';
                script.async = false;
                document.head.appendChild(script);
            }
</script>
  • 相关阅读:
    WUST Online Judge
    WUST Online Judge
    WUST Online Judge
    WUST Online Judge
    写在前面
    一丶Python简介
    七丶Python字典
    六丶Python列表操作
    五丶Python列表丶元组丶字典
    四丶Python运算符
  • 原文地址:https://www.cnblogs.com/chucklu/p/15320954.html
Copyright © 2011-2022 走看看