I have the following styesheet defined in my code:
<link rel="stylesheet"
href="//code.jquery.com/ui/1.12.1/themes/base/jquery-ui.css" integrity="sha256-RPilbUJ5F7X6DdeTO6VFZ5vl5rO5MJnmSk4pwhWfV8A=" crossorigin="anonymous">
And I’m trying to update it to version 1.14.1 based on the latest releases mentioned here:
However, just like for jquery version it’s available, I couldn’t find the integrity part anywhere for the base themes. Any idea, from where I can find it?
Is it ok to paste the URL(https://code.jquery.com/ui/1.14.1/themes/base/jquery-ui.css) on this website and use what’s generated in my code?
You can, yes. Hashing a file is hashing the file, regardless of what site is doing it. (Hint: That’s how your browser knows the integrity check passes - it hashes the file itself, and checks its result against the value provided.)
Just keep in mind that the integrity value will change if anyone updates the file.
2 Likes
FWIW, you may also check out another CDN… for instance, here’s from cdnjs:
<link
rel="stylesheet"
href="https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.14.1/themes/base/jquery-ui.min.css"
integrity="sha512-TFee0335YRJoyiqz8hA8KV3P0tXa5CpRBSoM0Wnkn7JoJx1kaq1yXL/rb8YFpWXkMOjRcv5txv+C6UluttluCQ=="
crossorigin="anonymous"
referrerpolicy="no-referrer"
/>
Hopefully this won’t happen without bumping the version. 
1 Like
Well for a thing like a jQuery release, I would expect not; but SRI checks can be applied to any script or link (with the appropriate rel types) element, not just well-released versioned software.
1 Like
Thanks. Is it more preferred than the one I used? I noticed it has one more attribute referrerpolicy="no-referrer"
<script src="https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.14.1/jquery-ui.min.js" integrity="sha512-MSOo1aY+3pXCOCdGAYoBZ6YGI0aragoQsg1mKKBHXCYPIWxamwOE7Drh+N5CPgGI5SA9IEKJiPjdfqWFWmZtRA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
At the end of the day it’s just like @m_hutley already noted – a hash is a hash. Copy / pasting the complete tags from a CDN saves you the hassle from acquiring the hashes separately I guess.
It means that no Referer header will be sent with the request, so the server (in this case the CDN) won’t know where it is coming from. This is the most secure policy.
1 Like
Thanks. I have a different question. I have these script tags and stylesheet tags defined in a separate main JSP page. There are individual pages where the aforementioned main JSP page is included and when I inspect the individual page in the the browser, the script tags from main page shows in the <head> html element which is good. I was expecting that I shouldn’t need define the same thing in individual pages.
However, I’m noticing that there is still a need to define all of these inside the individual pages (which shows up inside the body tag upon inspecting the individual page), which looks like a duplicate effort of doing same thing.
I am wondering if these integrity or crossorigin attributes has anything to do with these observations?
Here’s a screenshot of how I have to define at both places. I removed irrelevant script tags for brevity:
I’m not in the least familiar with JSP but this can be ruled out. Even if the integrity would somehow change from one page to another, the script / link tags would still show up in the markup, they just wouldn’t load.
This sounds more like a templating issue.
