Secure Snippet

Last Modified on 03.07.2023

About Secure Snippet

Userlane supports SRI (Subresource Integrity) for its JavaScript Snippet. 

SRI enhances security by adding a secure signature to embedded JavaScript packages in the app. It uses a unique code that the resource must match, ensuring the Userlane packages remain unaltered and protected from unauthorized changes.


Concept

In concept, this is how Userlane’s Subresource Integrity works:

flow chart with 2 steps explaining the process of subresource integrity


Step 1: Fetching the current SRI value

The underlying application must fetch the current SRI value from a REST endpoint provided by Userlane. The communication is secured via HTTPS to ensure that the SRI value is delivered without unexpected manipulation.

Example response:

{
   "userlane.123.js": "sha384-abcdefg..."
}


The response must not be cached! The SRI value for userlane.js is subject to change from one moment to another, when new updates are deployed to the customer by Userlane, as typical for a Cloud SaaS vendor.


Step 2: Embedding userlane.js with SRI

The underlying application can use the fetched SRI value to load userlane.js into the Browser.

<script src="https://secure.userlane.com/userlane.123.js" integrity="sha384-abcdefg..."></script>


Secure Snippet

The secure snippet is as easy to implement as the classic snippet. Replace the loading part of the classic Snippet with this:

(function (i, s, o, g, r, a, m) {
    i['UserlaneCommandObject'] = r;
    i[r] = i[r] || function () {
        (i[r].q = i[r].q || []).push(arguments);
    };
    var req = new XMLHttpRequest();
    req.open("GET", "https://api.userlane.com/integrity/artifacts/main", false);
    req.send();
    var resp = JSON.parse(req.response);
    a = s.createElement(o), m = s.getElementsByTagName(o)[0];
    a.async = 1;
    a.src = g.replace("userlane.js", resp["entryPoint"]);
    a.integrity = resp["integrity"];
    a.crossOrigin = "anonymous";
    m.parentNode.insertBefore(a, m);
})(window, document, "script", "https://secure.userlane.com/userlane.js", "Userlane");


After Userlane is loaded it still needs to be initialised with a command like Userlane('init', '<put-your-propertyid-here>').


Browser Support

SRI is widely supported across modern browsers.

ChromeEdgeFirefoxSafari
45174315


Related Articles

  • None
Was this article helpful?
Help us improve our Help Center! Share your feedback as a comment or contact us.
User Icon

Thank you! Your comment has been submitted for approval.

Need more help?

Contact Us

Copyright © 2023 Userlane GmbH. All rights reserved.
Visit userlane.com or our Portal.