Build fluency in the vocabulary of verifying a third-party script's content against a hash.
0 / 5 completed
1 / 5
At standup, a dev mentions a script tag that includes a cryptographic hash of the expected file content, so the browser refuses to execute the script if a CDN ever serves something that doesn't match. What is this attribute called?
Subresource Integrity, or SRI, adds a cryptographic hash of the expected file content to a script or stylesheet tag, so the browser computes the hash of whatever it actually downloads and refuses to execute it if that hash doesn't match. A Content Security Policy restricts which origins a resource may load from, which is a different, complementary control that says nothing about the exact bytes of a specific file. This hash verification is what protects against a trusted CDN itself being compromised and serving tampered content.
2 / 5
During a design review, the team adds both an integrity attribute and a crossorigin attribute to a third-party script tag loaded from a CDN. Which capability does the crossorigin attribute enable here?
The crossorigin attribute allows the browser to actually read the resource well enough to verify it against the integrity hash under CORS rules, since without it, a cross-origin resource's content may not be accessible to the browser's integrity-checking step at all. Preventing the browser from loading the script entirely would defeat the purpose of including it in the first place. This pairing of crossorigin with integrity is a necessary combination for SRI to actually function correctly on a resource loaded from a different origin, like a public CDN.
3 / 5
In a code review, a dev notices a script tag pointing to a third-party CDN with no integrity attribute set at all. What does this represent?
This is a missing Subresource Integrity check leaving the page fully trusting whatever content the CDN happens to serve at request time, with no way for the browser to detect if that content has since changed or been tampered with. A Content Security Policy violation is a distinct concern about permitted origins, not about verifying a specific file's exact content. Flagging a third-party script tag with no integrity attribute is a standard code-review catch for any page loading a resource from infrastructure it doesn't directly control.
4 / 5
An incident report shows a compromised CDN served a malicious version of a widely used script, and every site that loaded it with no Subresource Integrity hash executed the malicious code without any way to detect the tampering. What practice would prevent this?
Adding an integrity attribute with the expected file's hash to every third-party script tag lets the browser refuse to execute a tampered version, since the hash of the compromised script won't match the hash the page was told to expect. Continuing to load the script with no integrity attribute at all is exactly what let every site execute the malicious code without any way to detect the tampering in this incident. This hash-pinning is a standard, low-cost defense for any page that depends on a third-party-hosted script or stylesheet.
5 / 5
During a PR review, a teammate asks why the team pins an integrity hash on every third-party script tag instead of just trusting the CDN provider to always serve exactly the file it's supposed to. What is the reasoning?
Trusting the CDN provider alone offers no protection if that provider is ever compromised, whether through a supply-chain attack or an internal breach, since the page would simply receive and execute whatever content the CDN happens to serve. An integrity hash lets the browser itself detect and refuse a mismatched file regardless of why it changed, closing that gap independent of how much the team trusts the provider. The tradeoff is that the pinned hash must be updated deliberately whenever the legitimate file itself is intentionally updated, adding a small maintenance step to any script version bump.