I'm reading about Subresource Integrity but I'm worried about the performance loss. How does this (having to hash every file before executing it) slow down the page load, especially on devices with low level CPUs?
I ran a performance benchmark today and observed the following averages when generating hashes for a 120KB Twitter Bootstrap minified CSS file.
File Size: 121200
SHA1 Time: 0.50199 ms
SHA256 Time: 0.89691 ms
SHA384 Time: 1.59249 ms
SHA512 Time: 1.58901 ms
SHA1
is considered insecure and may not work. So, if you use SHA256
, you can expect an overall delay of less than 1 ms per resource on a common device. I ran this benchmark on my one and half year old Corei5 ASUS Laptop that is not very good at performance. Also, 120KB is a little above average. Most static files are smaller, and smaller file size would mean faster hash generation.
Based on these benchmarks, if I weigh the benefits of using SRI with the cost of 1ms per resource, I will prefer to use SRI as the cost is almost negligible. Changes of hackers getting into the server of a large CDN provider are not negligible as you said in a comment. I would point you to a past incident where hackers injected their own javascript to attack IE users.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With