This rule flags HTML elements that load statically versioned remote resources without a cryptographic integrity check.
When a web application loads a script or stylesheet from a remote host without verifying its integrity, it relies entirely on that host being trustworthy and uncompromised. HTTPS only protects the resource in transit; it does not guarantee that the content served has not been tampered with at the source or by the CDN.
This rule raises an issue when a <script> tag, a <link rel="stylesheet"> tag, or a dynamically created script
element loads a resource from a URL whose path contains a recognizable version segment — indicating a static, pinned artifact — but omits the
integrity attribute. Resources loaded from mutable URLs (such as analytics libraries, payment SDKs, or any endpoint that intentionally
updates its content without changing its URL) are excluded because Subresource Integrity is structurally incompatible with content that can change at
any time.
If the remote source or its CDN is compromised, an attacker can silently replace the artifact with malicious code that executes in every visitor’s browser or on the server.
Client-side malware injected this way can impersonate users, capture credentials and session tokens, harvest sensitive personal data, or silently mine cryptocurrency in the background.
On the server side, a tampered artifact can access and modify sensitive business data, escalate privileges on the underlying operating system, or use the compromised application as a pivot to attack the local network.
The following code loads a statically versioned resource without an integrity check, meaning any replacement of the artifact — whether by a supply-chain compromise or a tampered CDN — will execute unverified in the application.
crossorigin="anonymous" must also be set: without it the browser fetches the script in no-cors mode and cannot verify the response
body, silently bypassing SRI.
let script = document.createElement("script");
script.src = "https://cdn.example.com/v5.3.6/script.js"; // Noncompliant
script.crossOrigin = "anonymous";
document.head.appendChild(script);
let script = document.createElement("script");
script.src = "https://cdn.example.com/v5.3.6/script.js";
script.integrity = "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC";
script.crossOrigin = "anonymous";
document.head.appendChild(script);