Hosting JavaScript & SRI

Hosting GlobalLink Web

At this time, 3rd parties are not permitted to host our JS library.

The JS library must stay entirely in sync with the API set on the server with which it communicates. GlobalLink Web is not equipped to test the effects of running a new API set against an older JS client library. When essential logic or API changes occur, necessary precautions must be taken while updating the server and the client. Having "stale" versions of this client library in client-hosted environments presents an obstacle that GlobalLink Web cannot handle, potentially resulting in untested API mismatches and corrupted data on the server.

Subresource Integrity (SRI)

Subresource Integrity, or SRI, is a security feature that enables browsers to verify that fetched files are delivered without unexpected manipulation. It works by providing a cryptographic hash along with the link to the resource; the fetched resource itself is then hashed. This newly computed hash is compared against the hash provided. Only if the hashes match will the browser load the resource.

Get started with SRI and GlobalLink Web

Using the browser's SRI feature ensures that the moxie.min.js file never changes. Instead of our default JS snippet:

<script referrerpolicy="no-referrer-when-downgrade" src="https://www.onelink-edge.com/moxie.min.js" data-oljs="PXXXX-XXXX-XXXX-XXXX"></script>

Use the snippet with the standard SRI syntax:

<script type="text/javascript" src="https://www.onelink-edge.com/moxie/4.1.16/moxie.min.js" data-oljs="PXXXX-XXXX-XXXX-XXXX" integrity="sha256-hYLaD0Rc4fTh2Jav6lBUqkEt84oYVwwQVaMNI1cXBqs=" crossorigin="anonymous"></script>

When using the standard SRI syntax, the browser requests the moxie.min.js file, computes a sha256 digest, and compares that digest to the expected value. If a mismatch occurs, the browser removes the file and doesn't run the JavaScript.


The net result of a mismatch is that your translated site will stop translating. Everything will appear in the source language, and our injection will be halted. This would mean that every time moxie.min.js is updated, the hash in the snippet would also need to be updated. We would highly suggest that you point to a fixed version of the moxie library when using SRI. Notice in the SRI snippet above that the link to the library contains the moxie version—i.e., v4.1.16.


https://www.onelink-edge.com/moxie/4.1.16/moxie-integrity.json


The supported hashes and the hash value of the most recent fixed version of moxie.min.js are accessible from this API:


https://www.onelink-edge.com/moxie/4.1.16/moxie-integrity.json


And are provided below as well:

{
  "SHA256": "gazoQLyKJu+ifG2JfK+Lemyv90H0uQOpcjXaIH9i+hQ=",
  "SHA384": "5knIhSG2Elk+m1AoeZkupdsLp4lyJhZgBW1plQsKkTtqWvHmGgMPFyUcrbLMYZX7",
  "SHA512": "FdTJRHqbceUPrv61lrTUPtVcKBLZk89BkcJOnGM81lOSAW2b34xTfucyCV1/pa4NiYnL46/qhQIW8/Ypq2NJuA=="
}

SRI may be an extra administrative burden, but it provides additional security.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Related Articles