Print Page | Close Window

WhosON with SRI

Printed From: Parker Software Ltd
Category: WhosOn Live Chat
Forum Name: Hosted Service
Forum Description: Questions about the WhosOn Hosted Solution and notices about service status.
Printed Date: 26 Sep 2021 at 8:38am
Software Version: Web Wiz Forums 11.05 -

Topic: WhosON with SRI
Posted By: Brian.Dukes
Subject: WhosON with SRI
Date Posted: 03 May 2019 at 8:39am
At a recent Penetration Test scan, it was reported that  'external script not using integrity'

The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially
untrusted and unverified third parties script src.
If the host is controlled by a 3rd party, ensure that the 3rd party is PCI DSS compliant.


Looking at using SRI (Subresource Integrity)" rel="nofollow -     however, trying to generate a hash,  I get the following issue:  "Error: this resource is not eligible for integrity checks. See"

How is it therefore possible to resolve this penetration test issue? are we able to apply SRI at all?

Posted By: Liam
Date Posted: 03 May 2019 at 9:14am
Hi Brian

I think the reason why SRI hash isn't working is because the include file is dynamically generated on request.
What you could do is browse to https://{whosonserver}/include.js?domain=" rel="nofollow -
Then save the content to a JS file of your own and host that on your own web server or CDN (and reference that in the WhosOn tracking code instead), then you should be able to validate the integrity of your hard copy.
This will work although you will need to be sure to update the hard copy version of the file every time you update the WhosOn server application.
In addition, be sure to do this for each of the sites that you have configured within WhosOn, as each one will generate its own version of the include.js

I hope that this helps.

Posted By: Brian.Dukes
Date Posted: 07 May 2019 at 8:06am
Thank you Liam

Posted By: Brian.Dukes
Date Posted: 07 May 2019 at 8:20am
Actually @Liam - I wasn't involved in the original implimentation of WhosOn, so possibly some newbie question here --  you say  'and reference that in the WhosOn tracking code instead'  - this is the only bit of code I can see on our site:

        <div id="chat-link-container">
            <!-- Embedded WhosOn: Insert the script below at the point on your page where you want the Click To Chat link to appear -->
            <script type='text/javascript' src='https://{whosonserver}/include.js?'></script>
            <script type='text/javascript'>
                if (typeof sWOTrackPage == 'function') sWOTrackPage();
            <!-- End of embedded WhosOn -->

Where is the tracking code that you refer to?

Posted By: benjamin wilshaw
Date Posted: 08 May 2019 at 3:20am
Hi Brian,

Yes this would be the tracking code my colleague Liam referred to. So if you open the url:


in a web browser this will generate the dynamically generated Include.js he mentioned so that you could host it on another web server or CDN by simply changing the url in the tracking to point to the new include.js location.

Kind Regards,

Technical Support

Print Page | Close Window

Forum Software by Web Wiz Forums® version 11.05 -
Copyright ©2001-2016 Web Wiz Ltd. -