[whatwg] Proposal: Specify SHA512 hash of JavaScript files in <script> tag

Yoav Weiss yoav at yoav.ws
Tue Feb 4 23:06:03 PST 2014

On Sat, Dec 14, 2013 at 3:41 PM, Bjoern Hoehrmann <derhoermi at gmx.net> wrote:

> * Some Developer wrote:
> >Currently most people store their JavaScript code on a CDN of some sort.
> >This often involves uploading their JavaScript files to a server hosted
> and
> >run by a third party which means the control and security of the server is
> >out of the hands of the website owner. If the CDN is hacked or a rogue
> >employee decides to edit your JavaScript you might end up serving
> malicious
> >JavaScript to your users without even knowing it.
> >
> >In order to overcome this problem I propose that a new attribute is added
> >to the <script> tag which allows the website owner to specify a SHA512
> hash
> >of the JavaScript file ahead of time. If when the file is downloaded from
> >the CDN by the browser it does not match the SHA512 hash in the HTML the
> >browser should discard the JavaScript file and display a warning to the
> >user that the file has been modified and that it should be considered as
> >malicious.
> You probably want to talk to <http://www.w3.org/2011/webappsec/>.
> --

Indeed, the webappsec WG is currently working on sub-resource integrity
spec that covers exactly that use-case:

More information about the whatwg mailing list