CDN Without SRI Insecure

This demo loads a script without an integrity attribute. If the CDN (simulated locally) is compromised, the browser will happily execute whatever it returns.

Expectation: “compromised” code runs File: malicious_cdn/jquery.min.js

Unverified CDN Script

No integrity

Why it’s bad: without Subresource Integrity (SRI), a tampered CDN file can steal tokens, inject skimmers, or deface the UI. You won’t get any warning.

  1. This page loads malicious_cdn/jquery.min.js directly (no SRI).
  2. That file should simulate a compromise (e.g., set window.__cdnPwned = true, log to console, or alter the DOM).
  3. Check the “Result” box to see what executed.
Waiting for script to run…