A new browser technology called Subresource Integrity gives websites more control over the assets their pages fetch from CDNs or other third parties. The website author includes an
integrity attribute. If the values match, the resource is loaded. Otherwise, the browser refuses to load the resource.
Ruby on Rails apps can use
sprockets-rails support for computing and adding the
GitHub has always been vigilant about XSS and other vulnerabilities, finding and fixing them internally as well as through our Bug Bounty Program. We were also early adopters of another XSS mitigation, Content Security Policy, and are always working to harden that policy. Now, Subresource Integrity adds another layer of mitigation, further raising the bar for attackers.
New browser security features like Subresource Integrity are making the web a safer place. They don’t do much good if websites don’t implement them though. We’re playing our role, and encourage you to consider doing the same.
Browser support at the time of this article’s publishing: