Verifying authenticity
While a CSP and CORS are great for restricting the browser from fetching resources from unwanted domains, they are certainly not the solution for everything. One instance where the CSP itself is quite helpless is when the original sources have been modified to contain unwanted content. As an example, a script might unknowingly be altered to contain a keylogger that sends sensitive information to an untrusted domain. If the script is still served from our domain, we’d still load it – resulting in increased danger for our users. One way to mitigate this is to introduce integrity checks with the Subresource Integrity (SRI) standard.
In its primary function, SRI ensures that the resources, such as scripts or style sheets, loaded by our micro frontend components haven’t been tampered with. It involves adding an integrity attribute to used script and link tags, containing cryptographic hashes of the resources they reference.
The following...
