Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Subresource Integrity and performance

I'm reading about Subresource Integrity but I'm worried about the performance loss. How does this (having to hash every file before executing it) slow down the page load, especially on devices with low level CPUs?

like image 787
the_nuts Avatar asked Oct 18 '22 13:10

the_nuts


1 Answers

I ran a performance benchmark today and observed the following averages when generating hashes for a 120KB Twitter Bootstrap minified CSS file.

File Size: 121200
SHA1   Time: 0.50199 ms
SHA256 Time: 0.89691 ms
SHA384 Time: 1.59249 ms
SHA512 Time: 1.58901 ms

SHA1 is considered insecure and may not work. So, if you use SHA256, you can expect an overall delay of less than 1 ms per resource on a common device. I ran this benchmark on my one and half year old Corei5 ASUS Laptop that is not very good at performance. Also, 120KB is a little above average. Most static files are smaller, and smaller file size would mean faster hash generation.

Based on these benchmarks, if I weigh the benefits of using SRI with the cost of 1ms per resource, I will prefer to use SRI as the cost is almost negligible. Changes of hackers getting into the server of a large CDN provider are not negligible as you said in a comment. I would point you to a past incident where hackers injected their own javascript to attack IE users.

like image 124
Hamid Sarfraz Avatar answered Jan 04 '23 05:01

Hamid Sarfraz