Hacker News new | past | comments | ask | show | jobs | submit login

Do not trust the CDN:

link(href='//maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css', rel='stylesheet' integrity='sha256-MfvZlkHCEqatNoGiOXveE8FIwMzZg4W85qfrfIFBfYc= sha512-dTfge/zgoMYpP7QbHy4gWMEGsbsdZeCXz7irItjcC3sPUFtf0kuFbDz/ixG7ArTxmDjLXDmezHubeNikyKGVyQ==' crossorigin='anonymous')

script(src='//maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js' integrity='sha256-Sk3nkD6mLTMOF0EOpNtsIry+s1CsaqQC1rVLTAy+0yc= sha512-K1qjQ+NcF2TYO/eI3M6v8EiNYZfA95pQumfvcVrTHtwQVDG+aHRqLi/ETn2uB+1JqwYqVG3LIvdm9lj6imS/pQ==' crossorigin='anonymous')




To be fair SRI is brand new and doesn't exist yet in most browsers (just went live in chrome in the last..month?). It isn't realistic to expect most people to already be using it..

You can check a particular browser for SRI support using https://ejj.io/sri/


Despite minimal browser support, it's still nice to start seeing projects like this that make it very easy to implement SRI (for Wordpress users, in this case):

https://id.wordpress.org/plugins/wp-sri/


So Integrity checking it just that, checking that the code is actually what you have uploaded. Having worked closely with the great people have made the SRI specification(www.w3.org/TR/SRI/) I can guarantee any CDN supporting integrity checking want to ensure you get the correct content.

If they didn't care about delivering the correct content they would be pushing back against the specification / using it.

This is why I have pushed bootstrap to start using integrity checking to prevent this form of code injection. But yeah there isn't a requirement for you to use this with a CDN either (I get whilst the browser support isn't there on a bank site it wouldn't perhaps be ideal - this has always been the case unless you are in charge of the CDN content) what it does do it inform me that they won't be delivering variable content of any kind whatsoever as SRI would break that code if they tried to load malicious content.

Justin who has also replied to this message works closely with developer outreach at MaxCDN and cares greatly about their product 'doing the right thing'™

Let me know if you have any further questions about SRI as I can probably answer then for you.

Jonathan Kingston


Here's the W3C spec on SRI -- http://www.w3.org/TR/SRI/ -- if you still prefer not to use it, you can opt to remove the 'integrity' attribute, it's being provided as a convenience.

link(href='//maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css', rel='stylesheet' crossorigin='anonymous')

script(src='//maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js' crossorigin='anonymous')


Subresource integrity keeps CDNs honest. If a CDN is "incompatible" with subresource integrity, they're doing a MITM attack on your users and your site.


as @ejcx said it is Sub Resource Integrity (SRI) and we (BootstrapCDN/MaxCDN) should be more clear on what SRI is so it doesn't cause any panic. Thanks for the feedback. If you have any questions or concerns you or anyone can email me jdorfman at maxcdn .com




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: