Http Third Party Resource Without Sri
Description
Detects third-party JavaScript resources loaded from known CDNs and services (like Cloudflare, New Relic, Cookiebot) that lack Subresource Integrity (SRI) protection. Missing SRI leaves applications vulnerable to compromised or malicious script content if the third-party source is compromised.
Detection Strategy
• Examines <script> tags in the HTML response
• Checks if the script source (src) domain matches known third-party providers (cloudflare.com, newrelic.com, cookiebot.com, etc.)
• Reports a vulnerability if either the 'integrity' attribute is missing or the 'crossorigin' attribute is not set
• Only triggers for external scripts loaded from specific trusted CDNs and service providers
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.