SRI (Subresource Integrity)

SRI (Subresource Integrity, W3C) est un mécanisme browser permettant de vérifier qu'un fichier (script, CSS) chargé depuis un CDN ou tiers n'a pas été modifié maliciously — via hash cryptographique inclus dans HTML attribute `integrity`. Protection contre CDN compromise ou MITM modifications.

Format HTML : `<script src="https://cdn.example.com/lib.js" integrity="sha384-abc123..." crossorigin="anonymous"></script>`

Fonctionnement :
(1) Developer calcule hash SHA-256/384/512 du fichier original.
(2) Embed dans attribute integrity.
(3) Browser télécharge resource.
(4) Browser calcule hash et compare.
(5) Si match → exécute ; si différent → block et logge erreur console.

Algorithmes supportés : SHA-256, SHA-384 (recommended), SHA-512.

Multiple hashes : `integrity="sha384-hash1 sha384-hash2"` — accept any match (useful pour rollouts ou multiple CDN copies).

Use cases :
(1) **Bootstrap, jQuery, React from CDN** — official CDNs publient hash SRI.
(2) **Analytics scripts** — verify Google Analytics, etc. not tampered.
(3) **Third-party widgets** — chatbots, embedded forms.
(4) **Open source libraries** — npm packages embedded via CDN.

Limitations :
(1) **Static resources only** — dynamic scripts (e.g. requirejs loads modules dynamically) can't easily SRI.
(2) **Updates require new hash** — every version change = regenerate hashes (build tool integration helps).
(3) **First-party scripts** less benefit (same-origin trust).
(4) **CDN flexibility loss** — cannot transparently update minified versions.

Tooling :
(1) Browser DevTools support SRI checks.
(2) **sri-toolbox** npm package generate hashes.
(3) Webpack plugin **webpack-subresource-integrity** auto-generate.
(4) Online generators : srihash.org.

CDNs supporting SRI :
- **cdnjs** — provide hash directly with file URL.
- **jsDelivr** — same.
- **unpkg** — npm package CDN, supports SRI.
- **Google Hosted Libraries** — provide SRI hashes.

Real-world incident : compromised CDN delivering modified library would inject crypto-miners, keyloggers, ou skimmers (Magecart). SRI prevents.

Combiné avec : (1) **CSP** require-sri-for directive (forces SRI on scripts) ; (2) **HTTPS** (no MITM modification possible without TLS break) ; (3) **HSTS**. Compétences Security+, CISSP.