user13955 user13955 - 1 year ago 90
Javascript Question

Does javascript subresource integrity check protect from client-side editing?

The question says it all. Does the use of subresource integrity checks foil execution of javascript which has been edited locally (say in the browser's debug window)?

Appreciate any insights.


Quote from MDN:

Browsers handle SRI by doing the following:

When a browser encounters a <script> or <link> element with an integrity attribute, before executing the script or before applying any stylesheet specified by the <link> element, the browser must first compare the script or stylesheet to the expected hash given in the integrity value.

If the script or stylesheet doesn’t match its associated integrity value, then the browser must refuse to execute the script or apply the stylesheet, and must instead return a network error indicating that fetching of that script or stylesheet failed.

So no, it does not protect from malicious code being executed via console, since that wont affect the loaded files in any way.