Require SRI for resources

Rule ID:

require-sri

Category:

Security

Standards:

• Subresource Integrity

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch are delivered without unexpected manipulation.

Commonly needed when using Content Delivery Networks (CDN).

This rules requires the usage of the integrity attribute to provide the cryptographic hash for SRI to function.

Rule details

Examples of incorrect code for this rule:

<script src="//cdn.example.net/jquery.min.js"></script>

error: SRI "integrity" attribute is required on <script> element (require-sri) at inline:1:2:
> 1 | <script src="//cdn.example.net/jquery.min.js"></script>
    |  ^^^^^^


1 error found.

Examples of correct code for this rule:

<script src="//cdn.example.net/jquery.min.js" integrity="sha384-..."></script>

Options

This rule takes an optional object:

{
  "target": "all",
  "include": null,
  "exclude": null
}

target

• all require integrity for all resources, even on same origin.
• crossorigin requires integrity for all crossdomain resources.

With target set to crossorigin only requests to other domains need SRI. Note that the logic for determining crossdomain is a bit naïve, resources with a full url (protocol://) or implicit protocol (//) counts as crossorigin even if it technically would point to the same origin.

<!--- local resource -->
<link href="local.css">

<!-- resource loaded over CDN -->
<link href="//cdn.example.net/remote.css">

error: SRI "integrity" attribute is required on <link> element (require-sri) at inline:5:2:
  3 |
  4 | <!-- resource loaded over CDN -->
> 5 | <link href="//cdn.example.net/remote.css">
    |  ^^^^


1 error found.

include

• type: string[] | null

If set only URLs matching one or more patterns in this array yields errors. Patterns are matched as substrings.

For instance, with the following configuration only the first URL yields an error:

{
  "include": ["//cdn.example.net/"]
}

<!-- matches included pattern, yields error -->
<link href="//cdn.example.net/remote.css" />
<!-- doesn't match, no error -->
<link href="//static-assets.example.org/remote.css" />

error: SRI "integrity" attribute is required on <link> element (require-sri) at inline:2:2:
  1 | <!-- matches included pattern, yields error -->
> 2 | <link href="//cdn.example.net/remote.css" />
    |  ^^^^
  3 | <!-- doesn't match, no error -->
  4 | <link href="//static-assets.example.org/remote.css" />


1 error found.

exclude

• type: string[] | null

If set URLs matching one or more pattern in this array is ignored. Patterns are matched as substrings.

For instance, with the following configuration only the second URL yields an error:

{
  "exclude": ["//cdn.example.net/"]
}

<!-- doesn't match excluded pattern, yields error -->
<link href="//cdn.example.net/remote.css">
<!-- matches excluded pattern, no error -->
<link href="//static-assets.example.org/remote.css">

error: SRI "integrity" attribute is required on <link> element (require-sri) at inline:4:2:
  2 | <link href="//cdn.example.net/remote.css">
  3 | <!-- matches excluded pattern, no error -->
> 4 | <link href="//static-assets.example.org/remote.css">
    |  ^^^^


1 error found.

Version history

• 7.1.0 - include and exclude options added