Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrity protection for third-party JavaScript

Francois Marier
February 27, 2015
Programming
2
600

Integrity protection for third-party JavaScript

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.

This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.

Francois Marier

February 27, 2015
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
300
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
270
Hardening Firefox for Privacy and Security
fmarier
0
1k
Security and Privacy on the Web in 2016
fmarier
0
210
Privacy and Tracking Protection in Firefox
fmarier
0
280
Security and Privacy on the Web in 2015
fmarier
0
280
Security and Privacy on the Web in 2015
fmarier
0
190
Integrity protection for third-party JavaScript
fmarier
1
800
URL to HTML
fmarier
1
280

Other Decks in Programming

See All in Programming
AIコーディングワークフローの試行 〜AIエージェント×ワークフローでの自動化を目指して〜
rkaga
2
3.5k
The Weight of Data: Rethinking Cloud-Native Systems for the Age of AI
hollycummins
0
270
Strategic Design (DDD) for the Frontend @DDD Meetup Stuttgart
manfredsteyer
PRO
0
120
API for docs
soutaro
2
1.1k
Develop Faster With FrankenPHP
dunglas
2
3.2k
On-the-fly Suggestions of Rewriting Method Deprecations
ohbarye
0
200
プロダクト横断分析に役立つ、事前集計しないサマリーテーブル設計
hanon52_
2
420
PHPで書いたAPIをGoに書き換えてみた 〜パフォーマンス改善の可能性を探る実験レポート〜
koguuum
0
150
gen_statem - OTP's Unsung Hero
whatyouhide
1
200
The Implementations of Advanced LR Parser Algorithm
junk0612
0
150
国漢文混用体からHolloまで
minhee
1
180
Youtube Lofier - Chrome拡張開発
ninikoko
0
2.4k

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
We Have a Design System, Now What?
morganepeng
52
7.5k
Faster Mobile Websites
deanohume
306
31k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Producing Creativity
orderedlist
PRO
344
40k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
5
520
The Art of Programming - Codeland 2020
erikaheidi
53
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
119
51k
A better future with KSS
kneath
239
17k
For a Future-Friendly Web
brad_frost
176
9.7k
How STYLIGHT went responsive
nonsquared
99
5.5k
How GitHub (no longer) Works
holman
314
140k

Transcript

  1. <script src=”https://ajax. googleapis.com/ajax/libs/j query/1.8.0/jquery.min.js” integrity=”type:text/javas cript sha512-AODL7idgffQeN sYdTzut09nz9AINcjhj4jHD72H cLirsidbC8tz+dof7gceOCQD8W skeuRFfJ9CsgZTHlMiOYg==”><

    /script> Integrity protection for 3rd-party JavaScript François Marier @fmarier mozilla

  2. Firefox Security & Privacy

  3. Web Platform

  4. Web Platform

  5. None

  6. Content Security Policy aka CSP

  7. Content Security Policy aka CSP mechanism for preventing XSS

  8. telling the browser what external content is allowed to load

  9. what does CSP look like?

  10. $ curl --head https://mega.nz HTTP/1.1 200 OK Content-Type: text/html Content-Length:

    1989 Content-Security-Policy: default-src 'self' *.mega.co.nz *.mega.nz http://*.mega.co.nz http://*.mega.nz; script-src 'self' mega.co.nz mega.nz data: blob:; style-src 'self' 'unsafe-inline' *.mega.co.nz *.mega.nz data: blob:; frame-src 'self' mega:; img-src 'self' *.mega.co.nz *.mega.nz data: blob:

  11. Hi you<script> alert('p0wned'); </script>! Tweet! What's on your mind?

  12. (of course, in a real web application, this would never

    be a problem)

  13. (the JS would be filtered out during input sanitisation)

  14. without CSP

  15. Hi you! Freedom Fighter @whaledumper - just moments ago p0wned

    Ok

  16. with CSP

  17. Hi you! Freedom Fighter @whaledumper - just moments ago

  18. Content-Security-Policy: script-src 'self' https://cdn.example.com

  19. inline scripts are blocked unless unsafe-inline is specified

  20. directives: script-src object-src style-src img-src media-src frame-src marquee-src font-src connect-src

  21. directives: script-src object-src style-src img-src media-src frame-src marquee-src font-src connect-src

  22. $ curl --head https://twitter.com HTTP/1.1 200 OK content-length: 58347 content-security-policy:

    … report-uri https://twitter.com/csp_report violation reports:

  23. "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src

    'self'", "effective-directive": "img-src", "original-policy": "default-src 'self'; report-uri http://example.org/..." }
  24. None

  25. new directives form-action plugin-types

  26. support for inline scripts Content-Security-Policy: script-src 'sha256-YWIzOW...'

  27. https://connect.microsoft.com/IE/feedback/details/793746/ie11-feature-request-support-for-the-content-security-policy-header

  28. None

  29. HTTP Strict Transport Security aka HSTS

  30. HTTP Strict Transport Security aka HSTS mechanism for preventing HTTPS

    to HTTP downgrades

  31. telling the browser that your site should never be reached

    over HTTP
  32. None

  33. GET asb.co.nz 301 → GET https://asb.co.nz 200 → no HSTS,

    no sslstrip

  34. GET asb.co.nz → 200 no HSTS, with sslstrip

  35. what does HSTS look like?

  36. $ curl -i https://login.xero.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN

  37. with HSTS, with sslstrip GET https://asb.co.nz 200 →

  38. silent client-side redirects HTTP → HTTPS

  39. no HTTP traffic for sslstrip to tamper with

  40. except for the very first connection

  41. https://hstspreload.appspot.com/

  42. pop quiz! how many .nz sites are on the preload

    list?

  43. $ grep \\.nz force-https.json { "name": "mega.co.nz" }, { "name":

    "api.mega.co.nz" },

  44. http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

  45. None
  46. None
  47. None

  48. wanna know more? https://speakerdeck.com/fmarier/defeating-cross-site-scripting-with-content-security-policy-updated

  49. 2015?

  50. no need to add any extra headers

  51. None
  52. None
  53. None
  54. None

  55. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

  56. how common is this?

  57. None

  58. what would happen if that server were compromised?

  59. None

  60. Bad Things™ steal sessions leak confidential data redirect to phishing

    sites enlist DDoS zombies

  61. simple solution

  62. <script src=”https://ajax.googleapis.com...”> instead of this:

  63. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...”> do this:

  64. You owe me $10.00. f4243c12541be6f79c73e539c426e07a f2f6c4ef8794894f4903aee54542586d

  65. You owe me $1000. 1ebd7a8d15a6dab743f0c4d147f731bc fc6b74752afe43afa5389ba8830a2215

  66. guarantee: script won't change or it'll be blocked

  67. limitation: won't work for scripts that change all the time

  68. 3 types of scripts

  69. dynamically-generated script: not a good fit for SRI

  70. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

  71. immutable scripts: perfect for SRI

  72. what about your own scripts? (they change, but you're the

    one changing them)

  73. scripts under your control: good fit for SRI

  74. can usually add the hashing to your static resource pipeline

  75. #!/bin/sh cat src/*.js > bundle.js HASH=`sha256sum bundle.js |cut -f1 -d'

    '` mv bundle.js public/bundle-${HASH}.js

  76. public/bundle-c2498bc358....js Cache-Control: max-age=∞

  77. <script src=”widgets.js”> <script src=”app.js”> <script src=”menu.js”>

  78. <script src=”bundle-c2498bc....js”>

  79. <script src=”bundle-c2498bc....js” integrity=”sha256-c2498bc...”>

  80. what else?

  81. integrity=” sha256-1z4uG/+cVbhShP... ”

  82. integrity=” type:application/javascript sha256-1z4uG/+cVbhShP... ”

  83. integrity=” type:application/javascript sha512-AODL7idgffQeNs... ”

  84. integrity=” type:application/javascript sha256-1z4uG/+cVbhShP... sha384-RqG7UC/QK2TVRa... sha512-AODL7idgffQeNs... ”

  85. <link rel="stylesheet" href="style.css" integrity="sha256-PgMdguwx/O..."> stylesheet support

  86. violation reports Content-Security-Policy: integrity-policy block

  87. violation reports Content-Security-Policy: integrity-policy report; report-uri https://...

  88. cat file.js | openssl dgst -sha256 -binary | openssl enc

    -base64 -A

  89. SRIhash.org

  90. None

  91. status?

  92. spec is approaching “last call”

  93. (initial implementations)

  94. © 2015 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 4.0 License. Questions? feedback: [email protected] mozilla.dev.security [email protected]

  95. photo credits: bank notes: https://www.flickr.com/photos/epsos/8463683689 web devs: https://www.flickr.com/photos/mbiddulph/238171366 explosion: https://www.flickr.com/photos/-cavin-/2313239884/