Login/Register
Implement subresouce integrity (SRI) for analytics.js (google-analytics) Mozilla Obersvatory
Asked Answered
javascriptsecuritygoogle-analyticscontent-security-policysubresource-integrity
M

0

7

Background

I have a site which uses Google analytics, like

<script 
   src="https://www.google-analytics.com/analytics.js"/>

and use Mozilla Observatory to test it for security flaws.

Problem

I have the following problem from Mozilla Observatory:

Subresource Integrity (SRI) not implemented, but all external scripts are loaded over HTTPS

Thoughts so far

It doesn't seem to be possible to create a hash for it, like via https://www.srihash.org/. And I don't want to create the hash locally because if analytics.js changes, it'll break the site.

I could use a nonce but I'm not sure how I would generate this with each request.

I was considering downloading analytics.js and using it locally instead. Are there any downsides to doing this?

Thanks in advance

Majors answered 5/9, 2020 at 17:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.