In light of the recent supply chain attack on the polyfill.io CDN, a GitHub account and domain were taken over by a malicious actor, who began injecting harmful JavaScript into thousands of websites. If websites load JavaScript, this script can operate in the first-party context and may perform a range of actions, including logging form data, capturing cookies, and modifying the website as desired. This poses an extreme risk if you do not trust the source completely.
One way to mitigate this risk is by using Subresource Integrity (SRI), which allows you to pin a remote JavaScript file to a specific hashed fingerprint of its content. This makes loading remote resources significantly safer by blocking the loading if the content of the remote JavaScript content changed.
You can create the hash by yourself using OpenSSL.
openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A
Web service
If you prefer, you can also use a web-based service to create the hash for you. I recommend srihash.org
Once submitted, it will return the hash along with the full string and instructions on how to use it in your HTML code.
3rd Party Library
If you load jQuery from their official CDN, the subresource integrity is already included in their example code, which is awesome.
This has become increasingly common and is very respectable. I’m often torn between whether such a library should be loaded from my own server or from a third party. I often prefer to host it myself.
Google Analytics
Sadly, not everything is perfect. As soon as you plan to utilize Google Analytics, I have never seen a successful implementation of SRI. If you know how to do this, feel free to share your insights in the comments.