-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
146 lines (133 loc) · 4.66 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
<!DOCTYPE html>
<!--
https://github.com/SoftwareAddictionShow/html-subresource-integrity
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Subresource Integrity</title>
<script type="text/javascript" src="js/jsSHA/sha.js"></script>
<script type="text/javascript" src="js/jsSHA/sha1.js"></script>
<script type="text/javascript" src="js/jsSHA/sha256.js"></script>
<script type="text/javascript" src="js/jsSHA/sha512.js"></script>
<link type="text/css" href="styles.css" media="screen" rel="Stylesheet" />
<link href="themes/obsidian.css" rel="stylesheet" type="text/css" media="screen" />
</head>
<body>
<span id="forkongithub">
<a href="https://github.com/SoftwareAddictionShow/html-subresource-integrity">Fork me on GitHub</a>
</span>
<h1>Subresource Integrity</h1>
<p>
Verify that HTML script and link resources have not been modified.
</p>
<pre><code data-language="html">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.0/jquery.min.js"
integrity="sha384-K+ctZQ+LL8q6tP7I94W+qzQsfRV2a+AfHIi9k8z8l9ggpc8X+Ytst4yBo/hH+8Fk"
crossorigin="anonymous"></script>
</code></pre>
<p>
Browser supports subresource integrity: <span id="hasNativeIntegrityCheck"></span>
</p>
<p>
<button id="loadGood">Load script with good integrity</button><span id="statusGood"></span>
</p>
<p>
<button id="loadBad">Load script with bad integrity</button><span id="statusBad"></span>
</p>
<h2>Sources:</h2>
<p>
<a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity">
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
</a>
</p>
<p>
<a href="https://www.srihash.org/">https://www.srihash.org/</a>
</p>
<p>
<a href="http://caniuse.com/#feat=subresource-integrity">http://caniuse.com/#feat=subresource-integrity</a>
</p>
</body>
<script src="js/rainbow.js"></script>
<script src="js/language/html.js"></script>
<script>
function httpRequest(url, method, cb, timeout) {
timeout = timeout || 3000;
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (this.readyState === 4) {
cb(this.response, this.status);
} else if (this.readyState === 0) {
cb(null);
}
};
xhr.onerror = function() {
cb(null);
};
xhr.open(method, url, true);
xhr.timeout = timeout;
xhr.send(null);
}
function loadScript(url, cb_load, cb_error, integrity) {
httpRequest(url, 'GET', function(response, status) {
if (status === 200) {
var script = document.createElement('script');
document.head.appendChild(script);
script.setAttribute('crossorigin', 'anonymous');
if (integrity) {
if (! HTMLScriptElement.prototype.hasOwnProperty('integrity')) {
var sha_obj = new jsSHA('SHA-384', 'TEXT');
sha_obj.update(response);
var hash = 'sha384-' + sha_obj.getHash('B64');
if (hash === integrity) {
cb_load();
} else {
cb_error();
}
} else {
script.onload = function() {
cb_load();
};
script.onerror = function(e) {
cb_error(e);
};
script.setAttribute('integrity', integrity);
}
}
script.src = url;
}
});
}
document.querySelector('#loadGood').addEventListener('click', function() {
var src = "https://ajax.googleapis.com/ajax/libs/jquery/2.2.0/jquery.min.js";
var integrity = "sha384-K+ctZQ+LL8q6tP7I94W+qzQsfRV2a+AfHIi9k8z8l9ggpc8X+Ytst4yBo/hH+8Fk";
loadScript(src,
function() {
document.querySelector('#statusGood').innerHTML = 'Loaded ' + src;
document.querySelector('#statusGood').classList.add('good');
},
function(e) {
document.querySelector('#statusGood').innerHTML = 'Failed to load ' + src;
document.querySelector('#statusGood').classList.add('bad');
},
integrity);
});
document.querySelector('#loadBad').addEventListener('click', function() {
var src = "https://ajax.googleapis.com/ajax/libs/jquery/2.2.0/jquery.min.js";
var integrity = "sha384-baaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaad";
loadScript(src,
function() {
document.querySelector('#statusBad').innerHTML = 'Loaded ' + src;
document.querySelector('#statusBad').classList.add('good');
},
function(e) {
document.querySelector('#statusBad').innerHTML = 'Failed to load ' + src;
document.querySelector('#statusBad').classList.add('bad');
},
integrity);
});
var has_integrity = HTMLScriptElement.prototype.hasOwnProperty('integrity');
var integrity = document.querySelector('#hasNativeIntegrityCheck');
integrity.innerHTML = has_integrity;
</script>
</html>