Integrity and crossorigin attributes #41454

quivis · 2025-05-08T09:02:22Z

quivis
May 8, 2025

Gemini repeatedly introduces BS5 js and css calls that include integrity and crossorigin attributes but I can find precious little about them [i.e. nothing] here. Are they necessary? or a good idea and if so how does one go about generating them?

julien-deramond · 2025-05-08T13:23:10Z

julien-deramond
May 8, 2025
Maintainer

The integrity attribute enables Subresource Integrity (SRI)—it verifies that a fetched JS or CSS file hasn't been tampered with by checking its cryptographic hash. This is not the main topic, but there is some information about why integrity is important (and how to generate it) when using Bootstrap at Download > Alternative CDNs.

crossorigin="anonymous" is needed when loading from a CDN so the browser can fetch the file and still verify its integrity.

They're not required, but strongly recommended for third-party resources to prevent supply chain attacks.

0 replies

quivis · 2025-05-08T20:50:05Z

quivis
May 8, 2025
Author

Thanks Julien. I'm only surprised that Bootstrap itself does not do more to promote integrity and crossorigin attribution so I will certainly look at your download > alternative cdn link.

0 replies

jonhubby · 2025-05-31T10:49:14Z

jonhubby
May 31, 2025

Just to add to what Julien said, if you're using a CDN like jsDelivr or CDNJS, they usually provide the integrity attribute with the link. For self-hosted files, you can generate the hash using a tool like SRI Hash Generator. Keep in mind that even small changes to the file will require a new hash. Using integrity with crossorigin="anonymous" is a solid way to protect against unexpected changes or supply chain attacks.

0 replies

quivis · 2025-05-31T14:51:55Z

quivis
May 31, 2025
Author

Many thanks jonhubby - all grist for the proverbial.

…

On Sat, 31 May 2025 at 11:49, jonhubby ***@***.***> wrote: Just to add to what Julien said, if you're using a CDN like jsDelivr or CDNJS, they usually provide the integrity attribute with the link. For self-hosted files, you can generate the hash using a tool like SRI Hash Generator <https://www.srihash.org/>. Keep in mind that even small changes to the file will require a new hash. Using integrity with crossorigin="anonymous" is a solid way to protect against unexpected changes or supply chain attacks. — Reply to this email directly, view it on GitHub <#41454 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKXS5YTQQWEALTSHBWTAQ533BGCMBAVCNFSM6AAAAAB4V6G2CWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGMZSHA2TMMY> . You are receiving this because you authored the thread.Message ID: ***@***.***>

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bootstrap

Integrity and crossorigin attributes #41454

Uh oh!

{{title}}

Uh oh!

Replies: 4 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Bootstrap

Integrity and crossorigin attributes #41454

Uh oh!

quivis May 8, 2025

Replies: 4 comments

Uh oh!

julien-deramond May 8, 2025 Maintainer

Uh oh!

quivis May 8, 2025 Author

Uh oh!

jonhubby May 31, 2025

Uh oh!

quivis May 31, 2025 Author

quivis
May 8, 2025

julien-deramond
May 8, 2025
Maintainer

quivis
May 8, 2025
Author

jonhubby
May 31, 2025

quivis
May 31, 2025
Author