Secure Snippet

Userlane supports SRI (Subresource Integrity) for its JavaScript Snippet. 

SRI adds an extra layer of security by providing a secure signature on the JavaScript packages that are embedded into the underlying app. It works by providing a cryptographic hash that a fetched resource must match. This ensures that the Userlane JavaScript packages have not been modified and are protected against illegitimate manipulation.

Concept

In concept, this is how Userlane’s Subresource Integrity works:

Step 1: Fetching the current SRI value

The underlying application must fetch the current SRI value from a REST endpoint provided by Userlane. The communication is secured via HTTPS to ensure that the SRI value is delivered without unexpected manipulation.

Example response:

{
   "userlane.123.js": "sha384-abcdefg..."
}

The response must not be cached! The SRI value for userlane.js is subject to change from one moment to another, when new updates are deployed to the customer by Userlane, as typical for a Cloud SaaS vendor.

Step 2: Embedding userlane.js with SRI

The underlying application can use the fetched SRI value to load userlane.js into the Browser.

<script src="https://secure.userlane.com/userlane.123.js" integrity="sha384-abcdefg..."></script>

Secure Snippet

The secure snippet is as easy to implement as the classic snippet. Replace the loading part of the classic Snippet with this:

(function (i, s, o, g, r, a, m) {
    i['UserlaneCommandObject'] = r;
    i[r] = i[r] || function () {
        (i[r].q = i[r].q || []).push(arguments);
    };
    var req = new XMLHttpRequest();
    req.open("GET", "https://api.userlane.com/integrity/artifacts/main", false);
    req.send();
    var resp = JSON.parse(req.response);
    a = s.createElement(o), m = s.getElementsByTagName(o)[0];
    a.async = 1;
    a.src = g.replace("userlane.js", resp["entryPoint"]);
    a.integrity = resp["integrity"];
    a.crossOrigin = "anonymous";
    m.parentNode.insertBefore(a, m);
})(window, document, "script", "https://secure.userlane.com/userlane.js", "Userlane");

After Userlane is loaded it still needs to be initialised with a command like Userlane('init', '<put-your-propertyid-here>').

Browser Support

SRI is widely supported across modern browsers.