完整性检查

¥Integrity checks

策略文件必须使用与与绝对 URL 关联的浏览器 完整性属性 兼容的子资源完整性字符串进行完整性检查。

¥Policy files must use integrity checks with Subresource Integrity strings compatible with the browser integrity attribute associated with absolute URLs.

当使用 require()import 时,如果已指定策略清单,则检查加载中涉及的所有资源的完整性。如果资源与清单中列出的完整性不匹配,则会抛出错误。

¥When using require() or import all resources involved in loading are checked for integrity if a policy manifest has been specified. If a resource does not match the integrity listed in the manifest, an error will be thrown.

允许加载文件 checked.js 的示例策略文件:

¥An example policy file that would allow loading a file checked.js:

{
  "resources": {
    "./app/checked.js": {
      "integrity": "sha384-SggXRQHwCG8g+DktYYzxkXRIkTiEYWBHqev0xnpCxYlqMBufKZHAHQM3/boDaI/0"
    }
  }
}

策略清单中列出的每个资源都可以采用以下格式之一来确定其位置:

¥Each resource listed in the policy manifest can be of one the following formats to determine its location:

  1. 相对 URL 字符串 到清单中的资源,例如 ./resource.js../resource.js/resource.js

    ¥A relative-URL string to a resource from the manifest such as ./resource.js, ../resource.js, or /resource.js.

  2. 资源的完整 URL 字符串,例如 file:///resource.js

    ¥A complete URL string to a resource such as file:///resource.js.

当加载资源时,整个 URL 必须匹配,包括搜索参数和哈希片段。尝试加载 ./a.js 时不会使用 ./a.js?b,反之亦然。

¥When loading resources the entire URL must match including search parameters and hash fragment. ./a.js?b will not be used when attempting to load ./a.js and vice versa.

要生成完整性字符串,则可以使用 node -e 'process.stdout.write("sha256-");process.stdin.pipe(crypto.createHash("sha256").setEncoding("base64")).pipe(process.stdout)' < FILE 等脚本。

¥To generate integrity strings, a script such as node -e 'process.stdout.write("sha256-");process.stdin.pipe(crypto.createHash("sha256").setEncoding("base64")).pipe(process.stdout)' < FILE can be used.

完整性可以指定为布尔值 true,以接受任何对本地开发有用的资源主体。不建议在生产中这样做,因为它会允许资源的意外更改被认为是有效的。

¥Integrity can be specified as the boolean value true to accept any body for the resource which can be useful for local development. It is not recommended in production since it would allow unexpected alteration of resources to be considered valid.