Date of Publication: May 1st, 2023
Warning:
Subresource Integrity (SRI) is not a supported feature on Metadata. Customers choosing to implement SRI on hosted scripts or resources do so at their own risk. Our support team will not provide assistance or troubleshooting for issues related to SRI implementation. Please review this knowledge base article on unsupported SRI functionality to understand the potential implications and limitations before proceeding.
Introduction
This Knowledge Base article provides information about Subresource Integrity (SRI) use on resources supplied by Metadata, its relevance, and the limitations of implementing SRI on our platform. It is important to note that SRI is not a supported feature on the Metadata platform, and customers implementing this feature do so at their own risk.
Subresource Integrity (SRI) Overview
Subresource Integrity (SRI) is a security feature that allows browsers to verify that fetched resources, such as scripts and stylesheets, are delivered without unexpected manipulation. It achieves this by comparing the fetched resource's cryptographic hash with the expected hash value. If the values match, the browser loads the resource; otherwise, it blocks the resource.
Published “One-Time” Hash Value:
Below we provide a one-time hash value to customers who want to implement Subresource Integrity (SRI) on Metadata hosted scripts. Please keep in mind some important considerations :
-
Ongoing Maintenance: While this one-time hash might be helpful initially, customers using the provided hash value will still need to maintain and update the hash values whenever the hosted resources change. This includes updating the integrity attribute in the corresponding HTML elements to match the new hash values. If not appropriately maintained, an outdated hash value can cause browsers to block resources, leading to potential performance issues or broken functionality on your website that uses Metadata SIte Scipts.
-
Limited Support: Since SRI is not a supported feature on your platform, providing a one-time hash does not imply that Metadata supports SRI to any extent. Metadata will not provide assistance or troubleshooting for issues related to SRI implementation beyond providing a new Hash value on a per support request basis.
-
Scope of Responsibility: It is the customer’s sole responsibility to implement and maintain the SRI values. This includes generating or requesting new hash values, updating integrity attributes, and addressing any potential issues or complications arising from SRI implementation.
Below please find the one-time hash value for the implementation of SRI. However, it's essential to consider the potential implications of the unsupported nature of SRI on your platform and the associated responsibilities.
SRI Hash Value:
sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC
Date of Hash Generation:
4/19/2023
Type:
Unsupported
Example of Unsupported SRI Implementation:
<script>
(function(options) {
var s = document.createElement("script");
s.async = true;
s.src = "https://cdn.metadata.io/v1.0/site-script.js";
s.integrity = "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC";
s.crossorigin = "anonymous";
s.onload = function() {
window.Metadata.siteScript.init(options);
};
document.head.appendChild(s);
})({});
</script>
The SRI hash value above is a cryptographic hash generated using a specific hashing algorithm using SHA-384. This hash value must be included in the 'integrity' attribute [s.integity] referencing the resource (e.g., Metadata Site Script).
Unsupported SRI Functionality on Our Platform
Subresource Integrity (SRI) is not a supported feature or function. Consequently, customers who choose to implement SRI on hosted scripts do so at their own risk.
Summary of Unsupported SRI Functionality
Limited Support: As SRI is not a supported feature on our platform, our team cannot assist or troubleshoot issues related to SRI implementation. We recommend opening a ticket with our support team (Link) to inquire about any changes to the above Hash value.
Compatibility Issues: Our platform is not fully compatible with SRI, which could lead to unexpected behavior, errors, or resource blocking.
Maintenance Responsibility: Customers who choose to implement SRI on their hosted scripts will be responsible for generating and updating the SRI hash values for their resources or proactively seeking an updated Hash value from Metadata. This process requires ongoing attention, especially when updating resources.
Potential Impact on Performance: Incorrect SRI implementation may lead to resource blocking by browsers, which can negatively impact the user experience and website performance.
Conclusion:
Subresource Integrity (SRI) is not supported on the Metadata Platform. Customers who choose to implement SRI on their hosted scripts do so at their own risk and are responsible for managing the associated tasks and potential issues. We encourage customers to thoroughly understand the implications and limitations of using unsupported SRI functionality before implementation.
Comments
0 comments
Article is closed for comments.