Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrity protection for third-party JavaScript

Integrity protection for third-party JavaScript

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.

This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.

Francois Marier

February 27, 2015

More Decks by Francois Marier

Other Decks in Programming


  1. $ curl --head https://mega.nz HTTP/1.1 200 OK Content-Type: text/html Content-Length:

    1989 Content-Security-Policy: default-src 'self' *.mega.co.nz *.mega.nz http://*.mega.co.nz http://*.mega.nz; script-src 'self' mega.co.nz mega.nz data: blob:; style-src 'self' 'unsafe-inline' *.mega.co.nz *.mega.nz data: blob:; frame-src 'self' mega:; img-src 'self' *.mega.co.nz *.mega.nz data: blob:
  2. $ curl --head https://twitter.com HTTP/1.1 200 OK content-length: 58347 content-security-policy:

    … report-uri https://twitter.com/csp_report violation reports:
  3. $ curl -i https://login.xero.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN
  4. © 2015 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 4.0 License. Questions? feedback: [email protected] mozilla.dev.security [email protected]