SRI Hash CDN内联js

时间:2018-10-17 01:01:40

标签: javascript security cdn subresource-integrity

我有一个通过CDN传递的js文件: [[{"user":"1","nice":"0","sys":"1","CPU":"93","irq":"0"}, {"user":"1","nice":"0","sys":"1","CPU":"92","irq":"0"}, {"user":"1","nice":"0","sys":"1","CPU":"92","irq":"0"}, {"user":"1","nice":"0","sys":"1","CPU":"92","irq":"0"}], [{"user":"0","nice":"0","sys":"0","CPU":"91","irq":"0"}, {"user":"0","nice":"0","sys":"1","CPU":"91","irq":"0"}, {"user":"1","nice":"0","sys":"0","CPU":"91","irq":"0"}, {"user":"0","nice":"0","sys":"0","CPU":"90","irq":"0"}]]

我目前正在HTML页面上使用此CDN,但是加载JavaScript的方法是使用JS动态创建它。

<table class="table table-striped mt-5">
  <thead>
    <tr>
      <th scope="col">User</th>
      <th scope="col">Nice</th>
      <th scope="col">Sys</th>
      <th scope="col">CPU</th>
      <th scope="col">IRQ</th>
    </tr>
  </thead>
  <tbody>
    <tr *ngFor="let post of posts">
      <td>{{post.user}}</td>
      <td>{{post.nice}}</td>
      <td>{{post.sys}}</td>
      <td>{{post.CPU}}</td>
      <td>{{post.irq}}</td>
    </tr>
  </tbody>
</table>

如何对我的JS文件进行哈希处理并将SRI / Hash值用于我动态生成的脚本标签的www.some-url-my-js.com属性?我的JS文件是云服务中存储桶中的对象。

我的一位同事建议向内联JS添加完整性检查,或者将CSP定位到此路径,或者将其添加到我们的CDN,但我不确定他在说什么。

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

更新:我忘了提到我的CDN JS文件正在多个网站上使用,所以这是我需要通过npm脚本/事件侦听器等在JS文件本身内部执行的操作吗?在我动态创建的脚本标签中。

我需要类似于jQuery和Bootstrap为其CDN所做的事情。它们提供<script type="text/javascript"> var script = document.createElement('script') var parent = document.body script.addEventListener('load', () => { window.chatInit(someSettings) //function from my JS file/CDN }) script.src = 'www.some-url-my-js.com'; parent.appendChild(script) </script> 值和integrity值。

0 个答案:

没有答案