Cross-Domain Subresource (SRI) Checks are scanned as part of the Cross-site Scripting Security Tests used to evaluate the Web Application Security Risk Vector.
With this security test, we assess whether external resources include a valid integrity attribute. The grade is based on a weighted observation of vulnerable (no SRI) vs. not vulnerable (has SRI) resources.
Need to fix this?
- Avoid loading scripts from third-party resources to prevent exposure to content and JavaScript manipulation by third parties or in case of a network compromise.
- If loading third-party scripts is necessary, you should use subresource integrity (SRI) tags whenever possible.
How can I check the Cross-Domain Subresource Integrity setting in my web application? Use Chrome Developer Tools to inspect script tags and confirm presence of the integrity attribute.
Does this impact my WAS Risk Vector Grade? Yes.
Possible Grades:
-
Good: Relevant SRI checks are implemented. (Weight = 0)
-
Fair: Few or no SRI checks are implemented. (Weight = >0 and 0.1)
What will I see in the Portal?
Issue: Missing integrity attribute
Details: The page does not include an integrity attribute on cross-domain fetching of scripts.
Good to Know:
- Certain scripts cannot have the integrity attribute set. Learn more about excluded scripts here.
- Learn more about subresource integrity (SRI) on the Bitsight blog or refer to Mozilla's developer documentation on Subresource Integrity.
Feedback
0 comments
Please sign in to leave a comment.