SRI elements have crossorigin attribute

ab-002430 · security-headers-ii.supply-chain.sri-crossorigin

Severity: highactive

Why it matters

SRI with the integrity attribute but without crossorigin='anonymous' silently fails in some browsers for cross-origin resources — the integrity check is simply skipped, giving developers a false sense of security while providing zero actual verification. The resource loads without any tamper check. CWE-345 (Insufficient Verification of Data Authenticity) is the direct mapping — the verification mechanism is present but non-functional. CWE-494 applies because the code is downloaded without an effective integrity check. OWASP A08 (Software and Data Integrity Failures) identifies this as a common SRI implementation mistake that neutralizes the protection entirely.

Severity rationale

High because a missing `crossorigin` attribute causes SRI verification to silently fail for cross-origin resources, converting a security control that appears active into one that provides zero protection.

Remediation

Add crossorigin='anonymous' to every element that has an integrity attribute. These two attributes must always appear together for cross-origin resources.

<!-- WRONG: integrity check silently skipped -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."></script>

<!-- CORRECT: both attributes required -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."
  crossorigin="anonymous"></script>

Search your codebase for integrity= without crossorigin= on the same element: grep -n 'integrity=' templates/ | grep -v crossorigin. Fix every match — a lone integrity attribute on a cross-origin resource provides no protection.

Detection

ID: sri-crossorigin
Severity: high
What to look for: Search all elements with integrity attributes. For each, check whether crossorigin="anonymous" is also present. Without the crossorigin attribute, SRI verification silently fails in some browsers for cross-origin resources — the integrity check is simply skipped, providing a false sense of security. Count all SRI resources.
Pass criteria: 100% of elements with integrity attribute also have crossorigin="anonymous". Report: "X of Y SRI resources have crossorigin attribute."
Fail criteria: Any element with integrity lacks the crossorigin attribute.
Skip (N/A) when: No elements with integrity attributes found (no SRI in use).
Cross-reference: For dependency vulnerability scanning, the Dependency & Supply Chain audit covers CVE detection.
Detail on fail: "X of Y SRI resources lack crossorigin='anonymous' — SRI verification silently fails for cross-origin resources" or "Script with integrity attribute missing crossorigin — integrity check may be bypassed"

Remediation: The crossorigin="anonymous" attribute is required for SRI to work on cross-origin resources. Without it, the browser skips integrity verification silently:

<!-- WRONG: integrity without crossorigin — SRI silently fails -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."></script>

<!-- CORRECT: both attributes present -->
<script src="https://cdn.example.com/lib.js"
  integrity="sha384-xyz789..."
  crossorigin="anonymous"></script>

Always pair integrity with crossorigin="anonymous" for cross-origin resources.

External references

cwe · CWE-345
cwe · CWE-494
owasp:2021 · A08

Taxons

supply-chain

History

2026-04-18·v1.0.0·Initial import from security-headers-ii·automated