Problem

Subresource Integrity (SRI) enables browsers to verify that resources they fetch are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that the fetched resource must match.

SRI matters because it offers protection against malicious tampering. If an attacker exploited a content delivery network (CDN) and modified the contents of JavaScript libraries hosted on that CDN, it would create vulnerabilities in all websites that use those libraries.

SRI helps prevent attacks like cross-site scripting (XSS) by ensuring that the resources delivered to your site are exactly what they should be.

Solution

Formo supports SRI integration, providing an additional layer of security for your data and users.

You do need to do anything to enable SRI. Formo uses SRI in its install snippet to lock an external JavaScript resource to its known contents at a specific point in time. This is verified by a base64-encoded cryptographic hash.

The hash in the integrity attribute within the Formo install script works with SRI out of the box. If the file is modified after this point, the hash won’t match, and supporting web browsers will refuse to load it.

This ensures that the script you’re running is exactly the one provided by Formo, without any hidden changes or malicious code.