How to install Clym's widget with Sub-resource Integrity (SRI)

Steps to take to implement Clym's SRI widget version

Based on your organization's needs, you may wish to have the option of including a versioned Clym script with integrity hash included, which can be accomplished through Sub-resource Integrity (SRI).

If a situation like the following applies to you, you may wish to use the SRI-enabled Clym script:

  • If you want more control over the scripts added to your website to prevent third-party providers from making changes
  • If it is requested by a certain regulation, such as PCI requires on payment pages

Please note that Clym only recommends using the SRI-enabled script when necessary.

SRI is a web security feature that ensures that resources like scripts or stylesheets loaded from third-party sources, such as content delivery networks (CDNs), are not tampered with. SRI works by comparing the resource's unique code, which is called a cryptographic hash, with a pre-defined value provided by the developer to confirm that the hash matches. If the hash successfully matches, the file is deemed safe for use, and if the hash does not match, the browser will not load the file. This security process can be extremely valuable for some websites by preventing attackers from injecting malicious code into the site through compromised external files.

When a browser finds a <script> or <link> tag with the SRI attribute, it does a few things to keep your site safe:

  1. Integrity Check: It compares the downloaded script or stylesheet against the hash (unique code) provided to ensure the file hasn't been tampered with.
  2. CORS Check: If the file is from another domain, the browser checks if that domain allows sharing using CORS (Cross-Origin Resource Sharing).

Action on Mismatch: If the file doesn't match the hash, the browser blocks it and reports an error. This prevents potentially harmful content from running on your site.

 

Installing Clym's widget with SRI is an easy 3-step process:

1. Select the SRI enabled embed code

Please sign in to your Clym Portal account. From the left-hand side menu, toggle to Website settings and select Integrations on the domain you would like to add the Clym widget to. Select Setup instructions, and from the pop-up window, select HTML.

sri1

 
  

2. Copy Clym's widget embed code

In the pop-up window, toggle to the SRI enabled tab. From the drop-down menu, select which version of the Clym script you would like to use on your website. Copy the embed code from the Copy the code below field.
sri2
 

 

 

3. Paste the embed code onto your website

Return to your website builder, and navigate to your website's header. Paste the SRI enabled embed code into your website's header above all other scripts that you are running on your website. Please save your changes.
sri3 

Maintaining your SRI-enabled script

Once you have implemented the SRI-enabled Clym script on your website, it is essential to note that you will need to update the script on your website each time we do a new release.

Each script version's expiration date will be displayed in the Clym Portal.

When the SRI-enabled script loads, it includes Clym's Blocking.js, Clym.js, Clym iFrame and sub-resources. The rest of the scripts we load after this are used to load property data, such as your domain data, as configured in the Clym Portal and are loaded based on the regulation and/or jurisdiction settings. Since you are using the SRI-enabled script, you must ensure that as you add your scripts to the Clym Portal, you also add each script's signature. The Clym script we generate, which you must add to your website, will include these signatures. Clym then checks before loading them on your website, depending on the user's regulation settings.

With this solution, the Blocking.js, Clym.js, Clym iFrame and sub-resources, and the scripts we load after this, will be SRI-enabled. The Blocking.js script will continue to detect external scripts that have been added to your website, classify them, and add them to your property, but will not be loaded, given that they may not include the signature. As a second layer of protection, this process can help mitigate the risk of someone adding external scripts to your website without prior approval. Please note that you must add any internal scripts directly onto your website or add them to your Clym Portal account with a signature.

Based on your geolocation, you may not see the privacy widget. To view Clym on your site, scroll to the footer and click Privacy Center or Do not sell or share my personal information to open the widget. View more ways to verify the installation here

If you encounter any challenges, please reach out to us at support@clym.io.