https://github.com/small-tech/subresource-integrity-spike
A quick spike to test subresource integrity behaviour on the same domain and via ESM imports.
https://github.com/small-tech/subresource-integrity-spike
Last synced: about 2 months ago
JSON representation
A quick spike to test subresource integrity behaviour on the same domain and via ESM imports.
- Host: GitHub
- URL: https://github.com/small-tech/subresource-integrity-spike
- Owner: small-tech
- Created: 2020-12-28T15:53:08.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-12-28T15:56:10.000Z (over 4 years ago)
- Last Synced: 2025-01-10T02:24:24.916Z (3 months ago)
- Language: JavaScript
- Size: 4.88 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: readme.md
Awesome Lists containing this project
README
# Subresource Integrity Spike
To test:
- Subresource integrity behaviour on same domain (as it is only documented for cross domain use).
- Subresource integrity behaviour with ES6 EcmaScript Module (ESM) imports.
## Install
Clone this repository and run:
```
npm install
```
## Usage
Run the server with:
### Passing integrity check
```
npm run passing
```
### Failing integrity check
```
npm run failing
```
## Tested with:
- Firefox 84.0 (Gecko)
- Ungoogled Chromium 87.0.4280.88 (Blink)
- Epiphany 3.28.6 (WebKit)
All tests run on elementary OS 5.1.7.
## Observations
- Subresource integrity works when script is loaded from the same domain (Gecko, Blink, WebKit)
- When subresource integrity is specified on a `script` tag, it is also blocked in a subsequent `import` attempt from a separate `script` tag in Gecko and Blink but __not__ in WebKit (at least with the version in Epiphany. Not tested with Safari.)