This plugin hasn’t been tested with the latest three major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Subresource Integrity (SRI) Manager

Description

A WordPress plugin for easily adding a Subresource Integrity (SRI) declaration to any third-party content your pages load. The standards-based integrity attribute is a defence-in-depth best practice currently making its way into browsers. This plugin closely tracks the W3C draft.

Currently, the plugin automatically detects any third-party resources (like JavaScript libraries) and will make a SHA-256 hash of the content. It remembers this hash (until you uninstall the plugin or delete the hash from the admin interface), and modifies your page’s <script> and <link> elements on-the-fly. This way, your visitor’s web browsers can automatically ensure that the specific library you’re using is the one they’re loading.

Using this plugin can dramatically reduce the likelihood that visitors to your site will be strong-armed into participating in an HTTP DDoS attack. For more information, see “An introduction to JavaScript-based DDoS” by Nick Sullivan.

Future versions of this plugin will also provide an easy-to-use interface for site administrators to maintain a customized list of resource hashes, and to trigger on-demand integrity checks of these resources.

This plugin is still somewhat skeletal. Feature requests and patches are welcome! Please provide a test case with your patch. See the tests subdirectory for unit tests.
If you like this plugin, please consider making a donation for your use of the plugin, purchasing one of Meitar’s web development books or, better yet, contributing directly to Meitar’s Cyberbusking fund. (Publishing royalties ain’t exactly the lucrative income it used to be, y’know?) Your support is appreciated!

Installation

  1. Upload the unzipped wp-sri folder to the /wp-content/plugins/ directory.
  2. Activate the plugin through the ‘Plugins’ menu in WordPress.

FAQ

Installation Instructions
  1. Upload the unzipped wp-sri folder to the /wp-content/plugins/ directory.
  2. Activate the plugin through the ‘Plugins’ menu in WordPress.
WP-SRI breaks my plugin/theme. How can I prevent it from blocking my assets?

If you’re a site administrator, you can manually exclude specific resources by their URL from the Subresource Integrity Manager screen under Tools → Subresource Integrity Manager.

If you’re a plugin or theme author, you can use the option_wp_sri_excluded_hashes filter hook to dynamically whitelist assets. Please only do this for assets that are truly personalised, that is, only for assets whose URL is always the same but whose content is different for each user or page load.

For example, to ensure that the URL at https://example.com/personalized_content is never checked for integrity with SRI attributes, use the following PHP code:

function example_never_add_integrity_checking( $items ) {
    $items[] = 'https://example.com/personalized_content';
    return $items;
}
add_action( 'option_wp_sri_excluded_hashes', 'example_never_add_integrity_checking' );

Learn more about this filter hook.

Reviews

October 15, 2019
For my installation it added integrity only on one resource, a font css from googleapis.com, but site has tons of other resources loaded from googletagmanager.com, uberflip.com, leadspace.com and so on.
May 15, 2017
An excellent little plugin that implements Subresource Integrity (SRI) with no fuss. Remember it only adds the integrity attribute tag to <script> tags: 1) referencing files served via https 2) on a different server
April 14, 2017
It says it automatically adds integrity tags to external javascript tags, but it does not work and there is no way of manually adding them in the options page which has no features at all.
Read all 4 reviews

Contributors & Developers

“Subresource Integrity (SRI) Manager” is open source software. The following people have contributed to this plugin.

Contributors

“Subresource Integrity (SRI) Manager” has been translated into 1 locale. Thank you to the translators for their contributions.

Translate “Subresource Integrity (SRI) Manager” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Change log

Version 0.3.0

  • Feature: Add ability to exclude URLs. Useful when SRI attributes block personalised assets.

Version 0.2.2

  • Bugfix: Load plugin textdomain files to prepare for translation.

Version 0.2.1

  • Add the crossorigin="anonymous" attribute/value pair to modified elements to enable Firefox 43’s handling of integrity checks.

Version 0.2

  • Feature: A simple administrative interface can be found under the “Subresource Integrity Manager” option in your WordPress Tools menu. This interface allows you to view the URL and hash pairs currently known by your site, and to delete them. Deleting a known hash will cause WordPress to refetch and rehash the resource when it is next requested.

Version 0.1

  • Initial release.