Nice88 free 100.Enjoy Free 888+200 Daily Legal Bonus

Resolved stratoextra
(@stratoextra)

8 years, 6 months ago

SRI Manager does not seem to do anything. In the source code of my website, I have for example the following script, which I think should have a hash:
<script type="text/javascript" src="//use.typekit.net/dui2emy.js"></script>

Did I overlook something?

https://www.ads-software.com/plugins/wp-sri/

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author Meitar
(@meitar)

8 years, 6 months ago

Is your website being served over HTTPS or HTTP? If the latter, the integrity attribute would not offer any additional security, so it is not added.

This is also why there is a line of text right above the button you pressed to post this question that reads:

Did you include a link to your site, so that others can see the problem?

Thread Starter stratoextra
(@stratoextra)

8 years, 6 months ago

Hi Maymay,

Thanks for your answer. I deactivated the plugin for now, so no, there’s no link ??
But the site is indeed server via https. I can’t see why there’s no additional security when I serve the site via https; it still could happen, that the resources I load from a CDN get compromised. At least this is what W3C states is the main reason why to use SRI.

On the other hand I am not sure how the theme I am using is including these resources (i.e. if the theme uses wp_enqueue_scrip/style).

Cheers,
Chris

Plugin Author Meitar
(@meitar)

8 years, 6 months ago

I can’t see why there’s no additional security when I serve the site via https

You misread what I wrote. I said there’s no security benefit to adding the integrity attribute when pages are served over HTTP, so SRI attributes are not added in that case. This is the W3C’s position as well.

On the other hand I am not sure how the theme I am using is including these resources (i.e. if the theme uses wp_enqueue_scrip/style).

It is necessary for themes and plugins to use the WordPress API to enqueue scripts/styles for this plugin to recognize the presence of these external resources.

Thread Starter stratoextra
(@stratoextra)

8 years, 6 months ago

@maymay: That makes sense (both). Sorry for the confusion.
It’s a pity that many theme authors seem to be so sloppy with their themes.

One last question: Does it make sense to add SRI to scripts that are hosted on the same site? I think yes, always but I’m not an expert to this.

Plugin Author Meitar
(@meitar)

8 years, 6 months ago

Does it make sense to add SRI to scripts that are hosted on the same site?

No, it doesn’t. The point of SRI is to secure external resources from a compromise on the remote origin. So, for instance, if jQuery.com gets hacked, adding SRI attributes on example.com would make sense because it would prevent the hacked jQuery libraries from being loaded by visitors of example.com. But it makes no sense for example.com to add SRI attributes for resources served from example.com itself, because if example.com gets hacked, both the embedded resources and the SRI attributes could be altered by the attacker, rendering the protection offered by SRI attributes useless.

This, too, is consistent with the W3C’s description of the goals for SRI implementations.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘No SRI Attributes Rendered’ is closed to new replies.