Subresource Integrity: How to show only warning but not block resource?

Subresource Integrity: How to show only warning but not block resource?

Secure approach

If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.

微软提供的是asp-fallback-test 最后的生成效果是

 <script src="https://cdn.bootcdn.net/ajax/libs/axios/0.19.2/axios.min.js" integrity="sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJa+tWrYMlYPM00u" crossorigin="anonymous"></script>
<script>(window.axios||document.write("\u003Cscript src=\u0022/lib/axios/dist/axios.min.js\u0022 integrity=\u0022sha384-3zW4Ss6nBzDaj/vvjP2Qwu5xaWAzOgTSccYj0DfBO/5tDzQksJa\u002BtWrYMlYPM00u\u0022 crossorigin=\u0022anonymous\u0022\u003E\u003C/script\u003E"));</script>

Handling load error within subresource integrity check

回答1

Take a look at this implementation of SRI-fallback:

https://github.com/cyph/sri-fallback

回答2

You can check if the loaded resource is present and load a fallback local copy:

<script src="https://code.jquery.com/jquery-1.12.0.min.js" integrity="sha256-Xxq2X+KtazgaGuA2cWR1v3jJsuMJUozyIXDB3e793L8=" crossorigin="anonymous"></script>
<script>
if (!window.jQuery) {
                var script = document.createElement('script');
                script.src = '/local-resources/js/jquery-1.12.0.min.js';
                script.async = false;
                document.head.appendChild(script);
            }
</script>