Ryan McDonough

Subresource integrity

A new feature in Google Chrome 45 is the ability to add meta data inline to

This is done by adding integrity  metadata to the element inline such as:

<link rel=”stylesheet” href=”this_is_verified.css” integrity=”sha256-qvuZLpjL9TNV6yI1kNdGCPnSTrWM6Y0ILEzzyvA9hGY=”>

You would generate the base64 encoded version of the SHA256 hash with the following command:

cat this_is_verified.cssopenssl dgst -sha256 -binaryopenssl enc -base64 -A

If the hash doesn’t match the file and the integrity is compromised the browser will not load the resource.

This is currently in development for Firefox as well, though no news on Edge or Safari for implementation.