Skip to content

Instantly share code, notes, and snippets.

@evilpie

evilpie/integrity.md

Last active September 23, 2025 16:51
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save evilpie/ad8426ccc93fe63fbbf304c9bfa2fd3d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save evilpie/ad8426ccc93fe63fbbf304c9bfa2fd3d to your computer and use it in GitHub Desktop.
Download ZIP
Support for (script) integrity on the web
Raw
integrity.md
Description Example Can have integrity metadata 1 Content-Security-Policy support for hashes Integrity-Policy support 2
External script <script src=http://> Yes (integrity attribute) Yes Yes
Inline script <script>alert("hello world");</script> No 3 Yes No
Event handlers onclick=alert(1) No Yes (with 'unsafe-hashes') No
javascript: protocol javascript:alert(2) No Yes (with 'unsafe-hashes') No
Static import import foo from "/bar.js" Yes ("importmap") Yes Yes
Dynamic import import("/script.js") Yes ("importmap") Yes Yes
Eval eval("alert('boo');")
new Function() ...		 No No 4 No
WebAssembly No No No
Worker new Worker("/worker.js") No No No
Worker scripts importScripts("/foo.js") No No No
Worklet audioWorklet.addModule() No No No
Service Worker navigator.serviceWorker.register() No No No

Footnotes

  1. https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description

  2. Everything that is not supported by the Integrity-Policy is allowed to execute by default.

  3. The Inline Integrity proposal currently only adds support for signatures.

  4. Hashes for eval() scripts are part of the script-src-v2 proposal.

@dveditz
Copy link

dveditz commented Aug 29, 2025

Worklets? The Worker stuff probably applies directly, except they use addModule() for additional scripts instead of importScripts()

@rich-hansen
Copy link

rich-hansen commented Sep 23, 2025

CSP treats WebAssembly as a kind of eval(). If script-src-v2 is adding hashes for regular eval it should be expanded to cover wasm-eval also.

I'd argue it's better to keep them separate given CSP treats them separately. "unsafe-eval" vs "wasm-unsafe-eval" directives as the example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment