Subresource Integrity


子资源完整性 (SRI) 是一项安全功能,可让浏览器验证其抓取的文件 (例如,从一个 CDN) 是在没有意外操作的情况下传递的。它的工作原理是允许您提供一个获取的文件必须匹配的加密散列/哈希。


使用 内容交付网络 (CDNs) 托管在多个站点之间共享的脚本和样式表等文件可以提高站点性能并节省带宽。然而,使用CDN也带来风险,因为如果攻击者获得对CDN的控制,则攻击者可以将任意恶意内容注入到CDN上的文件中 (或完全替换文件) 并因此也可能潜在地攻击从该CDN获取文件的所有站点。


The Subresource Integrity feature enables you to mitigate the risk of attacks such as this, by ensuring that the files your Web application or Web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.


You use the Subresource Integrity feature by specifying a base64-encoded cryptographic hash of a resource (file) you’re telling the browser to fetch, in the value of the integrity attribute of any <script> or <link> element.

An integrity value begins with at least one string, with each string including a prefix indicating a particular hash algorithm (currently the allowed prefixes are sha256, sha384, and sha512), followed by a dash, and ending with the actual base64-encoded hash.

An integrity value may contain multiple hashes separated by whitespace. A resource will be loaded if it matches one of those hashes.

Example integrity string with base64-encoded sha384 hash:


An integrity value’s “hash” part is, strictly speaking, a cryptographic digest formed by applying a particular hash function to some input (for example, a script or stylesheet file). But it’s common to use the shorthand hash to mean cryptographic digest, so that’s what’s used in this article.


You can generate SRI hashes from the command-line with openssl using a command invocation such as this:

cat FILENAME.js | openssl dgst -sha384 -binary | openssl enc -base64 -A         

Additionally, the SRI Hash Generator at is an online tool you can use to generate SRI hashes. 


In the following examples, assume that oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC is already known to be the expected SHA-384 hash (digest) of a particular script example-framework.js, and there’s a copy of the script hosted at


You can use the following <script> element to tell a browser that before executing the script, the browser must first compare the script to the expected hash, and verify that there’s a match.

<script src=""

有关 crossorigin属性的用途的更多详细信息, 见 CORS settings attributes.


Browsers handle SRI by doing the following:

  1. When a browser encounters a <script> or <link> element with an integrity attribute, before executing the script or before applying any stylesheet specified by the <link> element, the browser must first compare the script or stylesheet to the expected hash given in the integrity value.
  2. If the script or stylesheet doesn’t match its associated integrity value, then the browser must refuse to execute the script or apply the stylesheet, and must instead return a network error indicating that fetching of that script or stylesheet failed.


Specification Status Comment
Subresource Integrity Recommendation  
Fetch Living Standard  


Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari
The integrity attribute for <script> and <link> 45.0 43 (43) 未实现 32 未实现 [1]
The CSP require-sri-for directive ? 49 (49) ? ? ?
Feature Chrome for Android Firefox Mobile (Gecko) IE Mobile Opera Mobile Safari Mobile
The integrity attribute for <script> and <link> 45.0 43.0 (43) 未实现 未实现 未实现 [1]
The CSP require-sri-for directive ? 49.0 (49) ? ? ?

[1] WebKit bug 148363



 此页面的贡献者: xgqfrms-GitHub
 最后编辑者: xgqfrms-GitHub,