Secure Snippet

About Secure Snippet

Userlane supports SRI (Subresource Integrity) for its JavaScript Snippet. 

SRI enhances security by adding a secure signature to embedded JavaScript packages in the app. It uses a unique code that the resource must match, ensuring the Userlane packages remain unaltered and protected from unauthorized changes.


In concept, this is how Userlane’s Subresource Integrity works:

flow chart with 2 steps explaining the process of subresource integrity

Step 1: Fetching the current SRI value

The underlying application must fetch the current SRI value from a REST endpoint provided by Userlane. The communication is secured via HTTPS to ensure that the SRI value is delivered without unexpected manipulation.

Example response:

   "userlane.123.js": "sha384-abcdefg..."

The response must not be cached! The SRI value for userlane.js is subject to change from one moment to another, when new updates are deployed to the customer by Userlane, as typical for a Cloud SaaS vendor.

Step 2: Embedding userlane.js with SRI

The underlying application can use the fetched SRI value to load userlane.js into the Browser.

<script src="" integrity="sha384-abcdefg..."></script>

Secure Snippet

The secure snippet is as easy to implement as the classic snippet. Replace the loading part of the classic Snippet with this:

(function (i, s, o, g, r, a, m) {
    i['UserlaneCommandObject'] = r;
    i[r] = i[r] || function () {
        (i[r].q = i[r].q || []).push(arguments);
    var req = new XMLHttpRequest();"GET", "", false);
    var resp = JSON.parse(req.response);
    a = s.createElement(o), m = s.getElementsByTagName(o)[0];
    a.async = 1;
    a.src = g.replace("userlane.js", resp["entryPoint"]);
    a.integrity = resp["integrity"];
    a.crossOrigin = "anonymous";
    m.parentNode.insertBefore(a, m);
})(window, document, "script", "", "Userlane");

After Userlane is loaded it still needs to be initialised with a command like Userlane('init', '<put-your-propertyid-here>').

Browser Support

SRI is widely supported across modern browsers.


User Icon

Thank you! Your comment has been submitted for approval.