Using SRI declarations is a simple matter of adding an
integrity attribute to the HTML tag that points to an external resource (like a
<script> tag) that contains a hash specifier (like
sha256) and the proper hash of the content you expect to load. This indicates to the browser that the resource to which the element points should have the given hash. If the content that the browser receives from the remote server does not produce the specified hash, the browser ignores (refuses to
load) the resource, and fires an
error event at the element, instead:
<script src="//example.com/example-library.js" integrity="sha256-ab3c54ef..998756"></script>
wp_enqueue_script()), WP-SRI makes a note of the requested resource URL and adds it to a list of known resources. If WP-SRI has not seen the resource before, it grabs the resource content itself, produces a hash, and saves that alongside the resource URL in WordPress’s
wp_options table. When HTML is printed to the screen, it adds the
integrity attribute and the associated hash automatically.
Using this plugin can dramatically reduce the likelihood that visitors to your site will be strong-armed into participating in an HTTP DDoS attack. In future versions of this plugin, I also hope to provide an easy-to-use interface for site administrators so that they can maintain a customized list of resource hashes, and to trigger on-demand integrity checks of these resources.