Subresource Integrity

If anyone comes across the need to use “Subresource Integrity”

( SRI is a new W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source)

this is how I managed to make it work:

<cfhttp method="GET" url="https://mywebsite/js/myfile.js" getasbinary="yes" result="ob"></cfhttp>

<cfdump var="#ToBase64(BinaryDecode(hash(ob.fileContent, 'SHA-384'),'hex'))#"/>

notice we have to hash the binary before decoding it to “hex” and then finally to base64

An online generator is here: https://www.srihash.org/ where you can check your result.
I built my own because my javascript was protected by access policies, cors etc and I couldn’t easily use the online example without disabling some barriers etc.

Then use it like this:
<script type=“text/javascript” src=“https://mywebsite/js/myfile.js” integrity=“sha384-f90/ntH3yRwQBcCAdmo2m5KffTL2lSh95bR0t3+ZVKkzSil75iZjxxz2bVV4r0BB” crossOrigin=“anonymous”></script>