web-infra-dev · chenjiahan · Mar 18, 2025 · Mar 18, 2025
diff --git a/packages/core/src/types/config.ts b/packages/core/src/types/config.ts
@@ -470,7 +470,16 @@ export type NormalizedServerConfig = ServerConfig &
 export type SriAlgorithm = 'sha256' | 'sha384' | 'sha512';
 
 export type SriOptions = {
+  /**
+   * Specifies the algorithm used to compute the integrity hash.
+   * @default 'sha384'
+   */
   algorithm?: SriAlgorithm;
+  /**
+   * Whether to enable SRI.
+   * `'auto'` means it's enabled in production mode and disabled in development mode.
+   * @default false
+   */
   enable?: boolean | 'auto';
 };
 

diff --git a/website/docs/en/config/security/sri.mdx b/website/docs/en/config/security/sri.mdx
@@ -13,6 +13,8 @@ type SriOptions = {
 
 Adding an `integrity` attribute to `<script>` and `<link>` tags introduced by HTML allows the browser to verify the integrity of the introduced resource, thus preventing tampering with the downloaded resource.
 
+> `security.sri` is implemented based on Rspack's [SubresourceIntegrityPlugin](https://rspack.dev/plugins/rspack/subresource-integrity-plugin)
+
 ## What is SRI
 
 Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
@@ -38,7 +40,11 @@ export default {
 };
 ```
 
-The `<script>` and `<link>` tags generated by Rsbuild will include the `integrity` and `crossorigin` attributes:
+:::tip
+If you do not set `html.crossorigin`, Rsbuild will automatically set it to `anonymous`.
+:::
+
+After enabling `security.sri`, the `<script>` and `<link>` tags generated by Rsbuild will include the `integrity` and `crossorigin` attributes:
 
 ```html
 <script
@@ -58,10 +64,9 @@ The `<script>` and `<link>` tags generated by Rsbuild will include the `integrit
 
 ## Note
 
-The `security.sri` in Rsbuild will only apply to the tags generated by Rsbuild and will not apply to:
+The `security.sri` in Rsbuild will only apply to the tags generated by Rspack and Rsbuild and will not apply to:
 
 - The original tags in the HTML template.
-- The tags injected asynchronously by Rspack.
 - The tags inserted through client JavaScript code.
 
 Rsbuild will handle the following `<link>` tags:

diff --git a/website/docs/zh/config/security/sri.mdx b/website/docs/zh/config/security/sri.mdx
@@ -13,6 +13,8 @@ type SriOptions = {
 
 为 HTML 所引入的 `<script>` 和 `<link>` 标签添加完整性属性 —— `integrity`，使浏览器能够验证引入资源的完整性，以此防止下载的资源被篡改。
 
+> `security.sri` 是基于 Rspack 的 [SubresourceIntegrityPlugin](https://rspack.dev/plugins/rspack/subresource-integrity-plugin) 实现的。
+
 ## 什么是 SRI
 
 子资源完整性 Subresource Integrity（SRI）是专门用来校验资源的一种方案，它读取资源标签中的 integrity 属性，将其中的信息摘要值，和资源实际的信息摘要值进行对比，如果发现无法匹配，那么浏览器就会拒绝执行资源。
@@ -38,7 +40,11 @@ export default {
 };
 ```
 
-Rsbuild 生成的 `<script>` 和 `<link>` 标签上会带有 `integrity` 和 `crossorigin` 属性：
+:::tip
+如果你没有设置 `html.crossorigin`，Rsbuild 会自动将它设置为 `anonymous`。
+:::
+
+启用 `security.sri` 后，Rsbuild 生成的 `<script>` 和 `<link>` 标签上会带有 `integrity` 和 `crossorigin` 属性：
 
 ```html
 <script
@@ -58,10 +64,9 @@ Rsbuild 生成的 `<script>` 和 `<link>` 标签上会带有 `integrity` 和 `cr
 
 ## 注意
 
-Rsbuild 的 `security.sri` 仅会作用于 Rsbuild 生成的标签，不会作用于：
+Rsbuild 的 `security.sri` 仅会作用于 Rspack 和 Rsbuild 生成的标签，不会作用于：
 
 - HTML 模板中原有的标签。
-- Rspack 异步注入的标签。
 - 通过客户端 JavaScript 代码插入的标签。
 
 Rsbuild 会处理以下几种 `<link>` 标签：