Security/Subresource Integrity

Description

Subresource Integrity is a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation. It landed in Firefox 43.

Engineering

• Tracking Bug

The bulk of the code lives in these two classes:

• SRICheck
• SRIMetadata

which hook into:

• layout/style/Loader.cpp (CSS loader)
• dom/base/nsScriptLoader.cpp (Script loader)

Both of these hooks work in the same way:

1. We start by creating an SRIMetadata object from the content of the integrity attribute as we process the element:
   • nsScriptLoader::ProcessScriptElement()
   • nsScriptLoader::PreloadURI()
   • Loader::CreateSheet()
2. We then wait until the file is downloaded and check that the hash of the contents matches the SRI hash:
   • nsScriptLoader::OnStreamComplete()
   • SheetLoadData::OnStreamComplete()
3. We return NS_ERROR_SRI_CORRUPT, which fails the load and triggers the error event on that element, if the hashes don't match.

QA

The automated tests live in these two places:

• dom/security/test/sri/
• testing/web-platform/tests/subresource-integrity/

To turn on debugging output, export the following environment variable:

MOZ_LOG="SRI:5,SRIMetadata:5"

Evangelism

• SRI Hash Generator (source code)

Documentation

• Specification
• MDN