We are using this plugin in our website but when we are scanning this website in scorecard scanner it’s showing “Unsafe Implementation Of Subresource Integrity” error for https://www.google.com/recaptcha/api.js javascript file. We are requesting to you please check this error and resolve.

Error Description :-

Subresource Integrity (SRI) is a security feature in web development designed to ensure the integrity of externally loaded resources on a webpage. These include scripts, stylesheets, and fonts. With SRI, developers include a cryptographic hash of the expected resource content in the HTML. When a user visits the webpage, the browser checks this hash against the actual content fetched from the external source. If the hashes match, that means the resource hasn’t been tampered with or compromised.

Risk

Without SRI, externally loaded resources, like scripts and stylesheets, lack integrity verification. This makes them susceptible to tampering. This creates a potential avenue for attackers to inject malicious scripts, which leads to Cross-Site Scripting (XSS) vulnerabilities, unauthorized data access, and other security threats.

Recommendations

– Ensure accurate cryptographic hashes are specified for all externally loaded resources using SRI attributes in the HTML.

– Routinely review and update cryptographic hashes to align with changes in resource content.

– Implement robust input validation and sanitization practices to prevent injection attacks.

– Use CSP to restrict resource sources. This adds an extra layer of control over content execution.

– Conduct regular security audits and penetration testing to promptly identify and address vulnerabilities.

Please look into this error and help us to resolve this and if you need any other information from our side , let us know will provide you same.

Thanks

We are using this plugin in our website https://www.brufen.com/ but when we are scanning this website in scorecard scanner it’s showing “Unsafe Implementation Of Subresource Integrity” error for https://static.addtoany.com/menu/page.js javascript file. We are requesting to you please check this error and resolve.

Error Description :-

Subresource Integrity (SRI) is a security feature in web development designed to ensure the integrity of externally loaded resources on a webpage. These include scripts, stylesheets, and fonts. With SRI, developers include a cryptographic hash of the expected resource content in the HTML. When a user visits the webpage, the browser checks this hash against the actual content fetched from the external source. If the hashes match, that means the resource hasn’t been tampered with or compromised.

Risk

Without SRI, externally loaded resources, like scripts and stylesheets, lack integrity verification. This makes them susceptible to tampering. This creates a potential avenue for attackers to inject malicious scripts, which leads to Cross-Site Scripting (XSS) vulnerabilities, unauthorized data access, and other security threats.

Recommendations

– Ensure accurate cryptographic hashes are specified for all externally loaded resources using SRI attributes in the HTML.

– Routinely review and update cryptographic hashes to align with changes in resource content.

– Implement robust input validation and sanitization practices to prevent injection attacks.

– Use CSP to restrict resource sources. This adds an extra layer of control over content execution.

– Conduct regular security audits and penetration testing to promptly identify and address vulnerabilities.

Please look into this error and help us to resolve this and if you need any other information from our side , let us know will provide you same.

Thanks

Here are the details:

Description

Subresource Integrity (SRI) is a security feature in web development designed to ensure the integrity of externally loaded resources on a webpage. These include scripts, stylesheets, and fonts. With SRI, developers include a cryptographic hash of the expected resource content in the HTML. When a user visits the webpage, the browser checks this hash against the actual content fetched from the external source. If the hashes match, that means the resource hasn’t been tampered with or compromised. Risk

Without SRI, externally loaded resources, like scripts and stylesheets, lack integrity verification. This makes them susceptible to tampering. This creates a potential avenue for attackers to inject malicious scripts, which leads to Cross-Site Scripting (XSS) vulnerabilities, unauthorized data access, and other security threats. Recommendation

– Ensure accurate cryptographic hashes are specified for all externally loaded resources using SRI attributes in the HTML. – Routinely review and update cryptographic hashes to align with changes in resource content. – Implement robust input validation and sanitization practices to prevent injection attacks. – Use CSP to restrict resource sources. This adds an extra layer of control over content execution. – Conduct regular security audits and penetration testing to promptly identify and address vulnerabilities.

Without SRI, externally loaded resources, like scripts and stylesheets, lack integrity verification. This makes them susceptible to tampering. This creates a potential avenue for attackers to inject malicious scripts, which leads to Cross-Site Scripting (XSS) vulnerabilities, unauthorized data access, and other security threats.

But the script pointing to ajax is output to the page without any of those:

<script type='text/javascript' id='wordfence-ls-login-js-extra'>
/* <![CDATA[ */
var WFLSVars = {"ajaxurl":"https:\/\/my.domain\/admin-ajax\/","nonce":"4143373920","recaptchasitekey":"","useCAPTCHA":"","allowremember":"","verification":""};
/* ]]> */
</script>

The nonce /inside/ the code changes every couple of hours or so, so the has for this whole script changes as well. effectively this is impossible to use as I cannot hash the script and add the hash to my CSP allowed hashes.
Can I remove the nonce from there or can this have an integrity tag?
relevant -> https://stackoverflow.com/questions/70855692/csp-and-script-localization-in-wordpress

I would like to report a small problem.

When I use wpfc on my site and then check my site with https://webbkoll.dataskydd.net/en/
it delivers the following issues (SRI – issue)

script //einfachkiss.at/wp-content/cache/wpfc-minified/quaukrio/btmo7.js
css //einfachkiss.at/wp-content/cache/wpfc-minified/fguyvg8t/btmo7.css
css //einfachkiss.at/wp-content/cache/wpfc-minified/kppcqfs6/btmo7.css
css //einfachkiss.at/wp-content/cache/wpfc-minified/djpio4ys/btmo7.css
css //einfachkiss.at/wp-content/cache/wpfc-minified/m0vh93xp/btmo7.css

Instead of the “//” there should be “https://”

I found the position in the code wpFastestCache.php line 34 where I did a dirty quickfix
from
define(“WPFC_WP_CONTENT_DIR”,dirname(WPFC_WP_PLUGIN_DIR));
to
define(“WPFC_WP_CONTENT_DIR”,’https:/’.dirname(WPFC_WP_PLUGIN_DIR));

which solved the problem but is obviously not really state of the art

So it would be great, if you would consider this problem in one of your next releases.

As you can see above the site url is https://einfachkiss.at (in German) but if you have further questions do not hesitate to ask.

There is no implementation for SRI/Subresource integrity.

As far as I understand you might be able to add it easily.

Thanks in advance

I’ve installed the plugin but I still can’t pass the test on https://observatory.mozilla.org/.

I’ve tested it on this website https://neoredesign.wpengine.com/. I’ve deactivaded every plugins (except yours..), switched to a default theme, but the error is still showing up.

Any idea on how to resolve this ?

Thank you very much

Subresource Integrity (SRI)
https://cdn.onesignal.com
https://connect.facebook.net

How do I do that and is this important?

Thanks for the support!