SRI elements have crossorigin attribute

Why it matters

SRI with the integrity attribute but without crossorigin='anonymous' silently fails in some browsers for cross-origin resources — the integrity check is simply skipped, giving developers a false sense of security while providing zero actual verification. The resource loads without any tamper check. CWE-345 (Insufficient Verification of Data Authenticity) is the direct mapping — the verification mechanism is present but non-functional. CWE-494 applies because the code is downloaded without an effective integrity check. OWASP A08 (Software and Data Integrity Failures) identifies this as a common SRI implementation mistake that neutralizes the protection entirely.

Remediation

Add crossorigin='anonymous' to every element that has an integrity attribute. These two attributes must always appear together for cross-origin resources.

<!-- WRONG: integrity check silently skipped -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."></script>

<!-- CORRECT: both attributes required -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."
  crossorigin="anonymous"></script>

Search your codebase for integrity= without crossorigin= on the same element: grep -n 'integrity=' templates/ | grep -v crossorigin. Fix every match — a lone integrity attribute on a cross-origin resource provides no protection.

Detection

ID: security-headers-ii.supply-chain.sri-crossorigin
Severity: high
What to look for: Search all elements with integrity attributes. For each, check whether crossorigin="anonymous" is also present. Without the crossorigin attribute, SRI verification silently fails in some browsers for cross-origin resources — the integrity check is simply skipped, providing a false sense of security. Count all SRI resources.
Pass criteria: 100% of elements with integrity attribute also have crossorigin="anonymous". Report: "X of Y SRI resources have crossorigin attribute."
Fail criteria: Any element with integrity lacks the crossorigin attribute.
Skip (N/A) when: No elements with integrity attributes found (no SRI in use).
Cross-reference: For dependency vulnerability scanning, the Dependency & Supply Chain audit covers CVE detection.
Detail on fail: "X of Y SRI resources lack crossorigin='anonymous' — SRI verification silently fails for cross-origin resources" or "Script with integrity attribute missing crossorigin — integrity check may be bypassed"

Remediation: The crossorigin="anonymous" attribute is required for SRI to work on cross-origin resources. Without it, the browser skips integrity verification silently:

<!-- WRONG: integrity without crossorigin — SRI silently fails -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."></script>

<!-- CORRECT: both attributes present -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."
  crossorigin="anonymous"></script>

Always pair integrity with crossorigin="anonymous" for cross-origin resources.

Why it matters

Remediation

Add crossorigin='anonymous' to every element that has an integrity attribute. These two attributes must always appear together for cross-origin resources.

<!-- WRONG: integrity check silently skipped -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."></script>

<!-- CORRECT: both attributes required -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."
  crossorigin="anonymous"></script>

Detection

ID: security-headers-ii.supply-chain.sri-crossorigin
Severity: high
What to look for: Search all elements with integrity attributes. For each, check whether crossorigin="anonymous" is also present. Without the crossorigin attribute, SRI verification silently fails in some browsers for cross-origin resources — the integrity check is simply skipped, providing a false sense of security. Count all SRI resources.
Pass criteria: 100% of elements with integrity attribute also have crossorigin="anonymous". Report: "X of Y SRI resources have crossorigin attribute."
Fail criteria: Any element with integrity lacks the crossorigin attribute.
Skip (N/A) when: No elements with integrity attributes found (no SRI in use).
Cross-reference: For dependency vulnerability scanning, the Dependency & Supply Chain audit covers CVE detection.
Detail on fail: "X of Y SRI resources lack crossorigin='anonymous' — SRI verification silently fails for cross-origin resources" or "Script with integrity attribute missing crossorigin — integrity check may be bypassed"

Remediation: The crossorigin="anonymous" attribute is required for SRI to work on cross-origin resources. Without it, the browser skips integrity verification silently:

<!-- WRONG: integrity without crossorigin — SRI silently fails -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."></script>

<!-- CORRECT: both attributes present -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."
  crossorigin="anonymous"></script>

Always pair integrity with crossorigin="anonymous" for cross-origin resources.

SRI elements have crossorigin attribute

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

SRI elements have crossorigin attribute

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History