PCI failed for Script Src Integrity Check for google js

Question

I have used this in my code:

<script type="text/javascript" src='https://www.googleadservices.com/pagead/conversion.js'></script> 

In PCI Scan i received error for this saying "Script Src Integrity Check"

They recommended to use SRI (Sub Resource integrity check). This is done using adding a integrity attribute in tag which is a hash key.

I tried to create a hash key for this js file on https://www.srihash.org/

But its giving an error saying:

Error: this resource is not eligible for integrity checks. See https://enable-cors.org/server.html

Can you please help me here.

1. How can i generate the hash key for this js?

2. Is there any other way to get to get rid of PCI scan error for this?

Answer 1

I ran into the same problem with Google hosted JS. Google is not providing SRI. They revise the scripts from time to time, so they would need to version them and keep them static otherwise the SRI would fail.

In the meantime, file a false positive in with your PCI checking service. They would need to update this check to skip Google hosted scripts, as if Google was hacked, well, that would be apocalyptic.

Answer 2

I also ran into the same problem with Google hosted https://www.google.com/recaptcha/api.js.

I contact to our PCI scan company and they said if we give them a statement about we trust google then then will change our scan result. Our statement was like:
1. We will check Google's API every 30 days to verify the integrity of the scripts.
2. We trust Google.
3. We accept liability for this vulnerability.

I hope it helps to someone.