New CDN URLs and Subresource Integrity Hash for MSAL JS
Hello Developers!
At Build 2019 we made MSAL JavaScript generally available and have seen continued momentum with the developer community. Since making MSAL generally available we’ve seen over 50,000 weekly downloads of MSAL JS and continue to make improvements.
When we launched the MSAL JS library, we made it accessible to developers by providing a CDN URL, which can be embedded in applications. To ensure our commitment towards providing a great developer experience, we are announcing a new set of CDN URLs for MSAL JS. The new CDN URLs are hosted on Microsoft Azure CDN and will ensure better availability of our library. With two URLs, your application can fallback gracefully when an external dependency like a CDN goes down, so you can continue to provide a great user experience for your application.
The new CDN URLs for MSAL JS will also include the Subresource Integrity security feature. These new URLs are available for use starting today and the old CDN URLs for MSAL JS will be deprecated in future.
What are the new CDN URLs?
The new CDN URLs will provide better availability of our library to you and in a more resilient way. To include the library in your application, simply embed the MSAL.js CDN URLs in your application code. Both the new CDN URLs will provide the same content. The new URLs to use are:
- https://alcdn.msauth.net/lib/{version}/js/msal.js
- https://alcdn.msftauth.net/lib/{version}/js/msal.js
What about the old CDN URLs?
The old URLs will continue to work but will be deprecated sometime after April 2020. We recommend updating your application with above mentioned new URLs. Since the old URLs will be deprecated in the future, any single page application using the old URLs should move to new ones to avoid any impact. As a reminder, the old URLs can be found below
- https://secure.aadcdn.microsoftonline-p.com/lib/<version>/js/msal.js
- https://secure.aadcdn.microsoftonline-p.com/lib/<version>/js/msal.min.js
What are Subresource Integrity hashes?
We now use Subresource Integrity to provide a better and more secure way of accessing the MSAL JS library. Subresource Integrity (SRI) helps to mitigate the risks of third parties injecting any additional or malicious content into library code. We recommend using SRI attributes to your code but loading your single page application will succeed even if the SRI information is missing.
For example:
- <script src=”https://alcdn.msauth.net/lib/<version>/js/msal.js” integrity=”sha384-<checksum>” crossorigin=”anonymous”> </script>
- <script src=”https://alcdn.msftauth.net/lib/<version>/js/msal.js” integrity=”sha384-<checksum>” crossorigin=”anonymous”> </script>
How to update an application?
To import the library into your project, you can either use just one URL or you can use both the URLs as fallback option for one another.
Example for how to use one CDN URL to import latest version of MSAL JS.
<script type="text/javascript" src="https://alcdn.msauth.net/lib/1.1.3/js/msal.js"></script>
Example for how to use one CDN URL as a fallback when the other CDN URL is not working.
src="https://alcdn.msauth.net/lib/1.1.3/js/msal.js"></script>
<script type="text/javascript">
if(typeof Msal === 'undefined')document.write(unescape("%3Cscript
src='https://alcdn.msftauth.net/lib/1.1.3/js/msal.js' type='text/javascript'
%3E%3C/script%3E"));
</script>
For more detailed instructions on how to best work with the MSAL JS library, please read our MSAL JS wiki.
Light
Dark