Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrity protection for third-party JavaScript

Integrity protection for third-party JavaScript

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.

This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.

Francois Marier

June 04, 2015
Tweet

More Decks by Francois Marier

Other Decks in Programming

Transcript

  1. $ curl --head https://mega.nz HTTP/1.1 200 OK Content-Type: text/html Content-Length:

    1989 Content-Security-Policy: default-src 'self' *.mega.co.nz *.mega.nz http://*.mega.co.nz http://*.mega.nz; script-src 'self' mega.co.nz mega.nz data: blob:; style-src 'self' 'unsafe-inline' *.mega.nz *.mega.co.nz data: blob:; frame-src 'self' mega:; img-src 'self' *.mega.co.nz *.mega.nz data:
  2. $ curl --head https://twitter.com HTTP/1.1 200 OK content-length: 58347 content-security-policy:

    … report-uri https://twitter.com/csp_report violation reports:
  3. $ curl -i https://login.xero.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN
  4. aurainfosec.com.au bcm.com.au bigbrownpromotions.com.au comssa.org.au data.qld.gov.au dreamsforabetterworld.com.au dylanscott.com.au fatzebra.com.au freethought.org.au netrider.net.au

    publications.qld.gov.au technotonic.com.au thomastimepieces.com.au tracktivity.com.au tradingcentre.com.au webandwords.com.au 16
  5. aurainfosec.com.au bcm.com.au bigbrownpromotions.com.au comssa.org.au data.qld.gov.au dreamsforabetterworld.com.au dylanscott.com.au fatzebra.com.au freethought.org.au netrider.net.au

    publications.qld.gov.au technotonic.com.au thomastimepieces.com.au tracktivity.com.au tradingcentre.com.au webandwords.com.au
  6. “a web browser permits scripts contained in a first web

    page to access data in a second web page, but only if both web pages have the same origin” same-origin policy
  7. <html> <head> <title>Bug 992096 - Implement SRI</title> <link rel="stylesheet" href="http://localhost/francois/sri/style.css"

    integrity=" sha256-PgMdguwx/O1ZJKqtGj54HIScoj0UEDV4ti5tLuc4DvA=" crossorigin="anonymous"> </head> <body> <h1>This should be red if the hash matches!</h1> </body> </html>
  8. <html> <head> <title>Bug 992096 - Implement SRI</title> <link rel="stylesheet" href="http://localhost/francois/sri/style.css"

    integrity=" sha256-bogus" crossorigin="anonymous"> </head> <body> <h1>This should be red if the hash matches!</h1> </body> </html>
  9. Questions? feedback: [email protected] mozilla.dev.security [email protected] © 2015 François Marier <[email protected]>

    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.