What is subresource integrity?
This is a security measure which prevents damage if that 3rd party script is hacked.
And you expand it by adding an
<script src="<https://example.com/example-framework.js>" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>
Why is it not generally supported by analytics providers?
At the time of writing, we are not aware of any major analytics provider which supports SRI as standard, including:
The main reason is because the underlying script itself is often changed, and when it is changed, the HTML that points to it will need updating or it will stop working.
Analytics code is usually updated quite regularly to incorporate new features, fix bugs, and address new browser capabilities or incompatibilities.
People have asked for Google Analytics and others to support this for years, currently to no avail.
What can you do with Silktide Analytics?
If SRI is important to you, we propose the following workaround:
srcattribute of the sample code.
srcto point to your new URL where you host the script.
Add the new
integrityattribute you generated.
What about updates?
At this time there is no automated mechanism for receiving updates or notifications of updates to our analytics script.
This is because (a) it updates every time you change your analytics config and (b) we deploy updates to customer scripts in a distributed manner (i.e. patches to our script are gradually deployed over several days).
All scripts are designed to be backward compatible, if this ever changes we will notify all customers by email
Updates are generally relatively infrequent (quarterly)
In general you can safely host the fixed version of the analytics script and only aim to update it if you need to make an update to your analytics config (e.g. changing the URLs of your website). If major new functionality or backward incompatible changes are released, we will notify you.
We are considering adding native support for SRI. This is not guaranteed, but we appreciate the desire for it. No-one else we know has done this, it is quite involved, and there are some usability tradeoffs.
Analytics would add an option to enable SRI. Enabling this would:
Change their HTML snippet to include automated SRI attributes and point to a static file that lacks dynamic config; the dynamic config would be moved into the snippet
Notify the user to update their HTML snippet if they change any config options which require it
Ask for any email addresses to be notified when updated analytics is available; we would automatically email them when minor and major updates occur.