| Id: | 18246 |
| Product: | finPOWER Connect |
| Type: | NEW |
| Version: | 3.04.00 |
| Opened: | 20/05/2021 |
| Closed: | 28/05/2021 |
| Released: | 30/06/2021 |
| Job: | J026620 |
finPOWER Connect Cloud Configuration form; Security page; New Subresource Integrity option
A new option to "Apply SRI to known external resources where possible" has been added to the finPOWER Connect Cloud Configuration form, Security page.
Subresource Integrity is used to ensure that an externally accessed resource (such as the jQuery library) has not been tampered with.
This is achieved by the addition of an 'integrity' attribute that is applied to HTML <script> tags.
The following articles explain SRI and allow 'integrity' values to be calculated:
- https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
- https://www.srihash.org/
Currently, with this option switched on, SRI is applied to the following resources:
- https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js
Other external resources, such as following, do not deliver the CORs HTTP header required to use SRI and hence are unchanged:
- https://www.gstatic.com/charts/loader.js
- Used for charts
- https://maps.googleapis.com/maps/api/js?v=3.exp
- Used for address auto-complete
NOTE: Portals and HTML Widgets referencing other external libraries can use the tool available at https://www.srihash.org/ to include their own 'integrity' attribute if required.