Subresource Integrity Checks (SRI)
Subresource Integrity, or SRI, is used to make sure that the script doesn’t change out from under you. It’s an important security check when you depend on third-party vendors for code.
The default URL to the TrackJS agent is a variable version pointing at the latest version of the agent. This allows us to push out bug fixes and improvements without you needing to make code changes. But it does introduce risk that behavior may change without your knowledge, hence why you’re looking at SRI.
How to get Subresource Integrity with TrackJS
1. Use the TrackJS Module
Rather than using the SRI directives directly, you can accomplish the same goal by using the TrackJS npm module and bundling the agent into your code. This allows you to control exactly which version is included, probably saves you a network request too!.
2. Reference a version-specific agent
Rather than pointing at the latest version of the agent, you can reference a specific version from the CDN:
https://cdn.trackjs.com/agent/3.10.4/t.js
You can find the paths to each version of the agent in our CHANGELOG. If you’d like to further guarantee that the code doesn’t change, you can generate an SRI hash for any of these paths using this free SRI tool;
<script src="https://cdn.trackjs.com/agent/3.10.4/t.js"
integrity="sha384-njM4XFxHYqEd5zVpi3Zt1t/TGkshDeMEjIGUJtLQ38d6zwGZpTj9tPXlhspkHNhK"
crossorigin="anonymous"></script>
Note that SRI requires the CORS headers to be sent, and we’ve seen lots of third-party networks strip out or manipulate CORS headers. We recommend using TrackJS as a module instead.