Subresource's integrity seems to be an awesome stop second, allowing you to safely use third-party controlled HTTP resources.
However, the specification only considers interfaces HTMLLinkElementand HTMLScriptElement:
HTMLLinkElement
HTMLScriptElement
NoteIn the future revision of this specification, it will likely include support for the integrity of all possible podresursov, ie a, audio, embed, iframe, img, link, object, script, source, trackand video.
Note
In the future revision of this specification, it will likely include support for the integrity of all possible podresursov, ie a, audio, embed, iframe, img, link, object, script, source, trackand video.
a
audio
embed
iframe
img
link
object
script
source
track
video
I understand that the content referenced by the elements scriptand linkmore "active", but browsers remove the green lock to extract even relatively innocuous images via a simple HTTP, while the specification chooses to ignore them? This seems to be a huge lack of foresight for me.
What was the reason for this and when can we expect a “future revision”, if at all?
SRI , , , . , JQuery CDN, , , ( - ). SRI .
, . JQuery http , , SRI.
, :
SRI . , , (, https).
, , , upgrade-insecure-requests ( , ).
Source: https://habr.com/ru/post/1626085/More articles:Native ads in RicyclerView for Android - javaКак отобразить шаблон кендо внутри другого? - javascriptFabric.js How to resize IText horizontally without stretching text - fabricjsColor issue Ubuntu + Tmux + Vim - vimКэндо listView с флажком и флажком выбрать все флажок - jqueryThe eloquent best way to handle unpublished content - eloquentMySql ERROR! Server shuts down without updating PID file - mysqlAngular-drag-and-drop-lists: Inputs with draggable property causing unintended behavior in IE - javascriptМетоды проверки ошибок malloc - cJquery validation for multiple classes (all must be present) in an element - javascriptAll Articles