DevToys icon indicating copy to clipboard operation
DevToys copied to clipboard

Published 20 hours ago verified publisher icon DevToys-app

Subresource Integrity Hash Generator

Open kfrancis opened this issue 3 years ago • 5 comments

What's the Problem?

When securing a site, one feature you can use is an SRI hash on your scripts so the browser will block them if they get modified.

Solution/Idea

Implement a new generator for Subresource Integrity.

Given an HTTPS URL, read the content and generate the hash of the content.

Example

URL: https://code.jquery.com/jquery-3.6.0.min.js

SHA-256 hash: sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4= Full SHA-256 script tag:

<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>

SHA-384 hash: sha384-vtXRMe3mGCbOeY7l30aIg8H9p3GdeSe4IFlP6G8JMa7o7lXvnz3GFKzPxzJdPfGK Full SHA-384 script tag:

<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha384-vtXRMe3mGCbOeY7l30aIg8H9p3GdeSe4IFlP6G8JMa7o7lXvnz3GFKzPxzJdPfGK" crossorigin="anonymous"></script>

SHA-512 hash: sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ== Full SHA-512 script tag:

<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ==" crossorigin="anonymous"></script>

22-04-f5x7y-1651153240

Alternatives

https://www.srihash.org/

Priorities

Capability Priority
This proposal will allow developers to generate an SRI hash given a secure URL Must
This proposal will allow developers to copy the generated hash only Should
This proposal will allow developers to copy the completed script link Could

DevToys Version

Version 1.0.6.0 | X64 | RELEASE | c032ebb | c032ebb

Comments

No response

kfrancis avatar Apr 28 '22 13:04 kfrancis

Any particular reason @veler?

kfrancis avatar Mar 20 '23 19:03 kfrancis

Hi, Somehow, it looks like my answer got lost. Sorry about that. Long story short, my understanding is that in order to do this tool, an internet connection would be needed. DevToys needs to stay completely offline so we wouldn't want to add a tool that needs to download or upload anything.

That said, I wonder if the Checksum Generator tool could help with it? How different is that?

veler avatar Mar 20 '23 23:03 veler

Right, it is just a checksum - if you could pick the file locally, that would work too though I think you're right, it doesn't sound like a good fit.

kfrancis avatar Mar 21 '23 18:03 kfrancis

Checksum Generator tool already accept local files.

image

One thing however: when I tested it yesterday, I found that https://www.srihash.org/ was providing a different hash for a same given file. Not sure what differs here.

veler avatar Mar 21 '23 19:03 veler

My guess would be how the content is read to generate the checksum, this is the example they use:

openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A

but yes, I see the same thing - so could we possibly get the ability to generate that checksum offline then?

kfrancis avatar Mar 24 '23 14:03 kfrancis