Where do i find the sub resource integrity value for the script //maps.google.com/maps/api/js?
For example:
<script src="//maps.google.com/maps/api/js" integrity="sha256-????" crossorigin="anonymous"></script>
Do this using the `require-sri-for` directive in your CSP header. For example: Content-Security-Policy: require-sri-for script; This requires that any attempts to load JavaScript will only succeed if the Subresource Integrity information is in place and the integrity check succeeds.
Right-click a file in the File Explorer, select Send to…, and then select sri-hash . You will see the integrity value in a command box.
Solution: Subresource Integrity (SRI) SRI is a security policy that prevents the loading of resources that don't match an expected hash. By doing this, if an attacker were to gain access to a file and modify its contents to contain malicious code, it wouldn't match the hash we were expecting and not execute at all.
The integrity attribute allows a browser to check the fetched script to ensure that the code is never loaded if the source has been manipulated. Subresource Integrity (SRI) is a W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been altered.
You don't find the SRI digest for that script, and even if you did it wouldn't help you.
You don't:
SRI hashes are for content that doesn't change. Google changes the code that underlies their API all the time. You don't get to pick which version of the API to use; they choose for you, which is why there's no version number in that script path.
Using SRI for the Google Maps API script doesn't actually provide any additional security because that script's whole job is to download the newest version of a set of other scripts that actually provide the API functionality.
You can't use SRI to validate those other scripts, so you're already obligated to trust Google's security or forgo using their Maps API.
Even if you did, it wouldn't be helpful:
For scripts that don't download other JS files, try scrolling a bit lower down on the srihash.org site.
It says you can generate the SRI digest yourself using the Linux shell command openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A
However that still won't help you with sites like this that don't serve the content with CORS headers because the browser requires CORS in order to do the SRI validation. Without the proper CORS headers, the browser won't even try to compare the script to the SRI digest.
There's an explanation of the thought processes behind the decision to require CORS here: https://github.com/w3c/webappsec/issues/338#issuecomment-99766294
The upshot is that since SRI hashes are for all types of resources (not just JS and CSS files that have a legacy exception to the whole CORS thing) it could be used to get around same-origin policy enough to sniff otherwise inaccessible content.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With