Rocket Loader SRI

Would it be possible to add an integrity value to Rocket Loader? Since this script is included by Cloudflare, there is no way for us to easily add this. I don’t see any potential downside to doing this, but if there is one, please let me know.

It might be able to be added with Workers, but I’m not sure.

Thanks!

While I am a big fan of SRI, I am afraid I wouldn’t exactly see the added value in this case. That is not to say Cloudflare should not add it, just that I don’t think it would add much security.

SRI is mostly useful in the context of embedding content from third party sources, so that it is ensured the embedded content is what it was at the time when it was embedded and was not compromised.

In the case of Rocket Loader, that script tag is not something you “hardcode” on your site but it gets dynamically added by Cloudflare, hence the SRI would also come dynamically from Cloudflare and if someone managed to compromise that file there is a good chance they can adjust the SRI hash as well. Just like in the case if you SRI’d the files hosted locally on your server. If someone can alter them, he can probably also tamper with the hash.

If you do not keep the generation of hash and content separate, the former becomes somewhat meaningless. It is similar to a self-signed certificate.

1 Like

You make a very valid point.