Subresource Integrity is a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation. It landed in Firefox 43.
The bulk of the code lives in these two classes:
which hook into:
Both of these hooks work in the same way:
- We start by creating an SRIMetadata object from the content of the integrity attribute as we process the element:
- We then wait until the file is downloaded and check that the hash of the contents matches the SRI hash:
- We return NS_ERROR_SRI_CORRUPT, which fails the load and triggers the error event on that element, if the hashes don't match.
The automated tests live in these two places:
To turn on debugging output, export the following environment variable: