1

To save money and/or reduce system complexity, I am hosting a script on a server that I don't fully trust. My trust issue might be with the server itself, or the PKI setup on it. The reason doesn't matter exactly, because we can just check a SHA of the script before executing it.

I am currently using the following standard function to fetch the script:

function includeJs(jsFilePath) {
    let js = document.createElement("script");
    js.src = jsFilePath;
    document.body.appendChild(js);
}

How do I modify this function so that it accepts a SHA argument, and the script is only executed if its SHA matches the argument value?

Ideally we should not modify the server. If we have to play with MIME types or use a WebSocket, that would be acceptable if you believe it is necessary (any insights into why such things are necessary would be helpful as well).

Improve this question
2

1 Answer 1

Reset to default
1

https://en.wikipedia.org/wiki/Subresource_Integrity

function includeJs(jsFilePath, sha) {
    let js       = document.createElement("script");
    js.src       = jsFilePath;
    js.integrity = `sha256-$(sha)`;
    document.body.appendChild(js);
}

The sha value is base64, for example generated as follows:

openssl dgst -binary -sha256 script.js | openssl base64 -A
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.