hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added a note that SRI can be considered for some dynamic services

Browse Source
This commit is contained in:
aegilops
2024-07-12 12:48:36 +01:00
parent d71be8aeaf
commit 040f948e65
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.qhelp
View File

@@ -28,11 +28,21 @@
</p>
<p>
Subresource integrity checking is commonly recommended when importing a fixed version of
Subresource integrity (SRI) checking is commonly recommended when importing a fixed version of
a library - for example, from a CDN (content-delivery network). Then, the fixed digest
of that version of the library can easily be added to the <code>script</code> element's
<code>integrity</code> attribute.
</p>
<p>
A dynamic service cannot be easily used with SRI. Nevertheless,
it is possible to list multiple acceptable SHA hashes in the <code>integrity</code> attribute,
such as those for the content generated for major browers used by your users.
</p>
<p>
See the `CUSTOMIZING.md` file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.
</p>
</overview>
<recommendation>