Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (7)
Similar to Integrity protection for third-party JavaScript
Similar to Integrity protection for third-party JavaScript (20)
More from Francois Marier
More from Francois Marier (20)
Recently uploaded
Recently uploaded (20)
Integrity protection for third-party JavaScript
- 1. <script src=”https://ajax.googl eapis.com/ajax/libs/jquery/1.8. 0/jquery.min.js” integrity=”typ e:text/javascript sha512-AODL7i dgffQeNsYdTzut09nz9AINcjhj4jHD7 2HcLirsidbC8tz+dof7gceOCQD8Wske uRFfJ9CsgZTHlMiOYg==”></script> Integrity protection for 3rd -party JavaScript François Marier @fmarier mozilla
- 3. Web Platform
- 4. Web Platform
- 5. Content Security Policy aka CSP
- 6. Content Security Policy aka CSP mechanism for preventing XSS
- 7. telling the browser what external content is allowed to load
- 8. what does CSP look like?
- 9. $ curl --head https://mega.nz HTTP/1.1 200 OK Content-Type: text/html Content-Length: 1989 Content-Security-Policy: default-src 'self' *.mega.co.nz *.mega.nz http://*.mega.co.nz http://*.mega.nz; script-src 'self' mega.co.nz mega.nz data: blob:; style-src 'self' 'unsafe-inline' *.mega.nz *.mega.co.nz data: blob:; frame-src 'self' mega:; img-src 'self' *.mega.co.nz *.mega.nz data:
- 10. Hi you<script> alert('p0wned'); </script>! Tweet! What's on your mind?
- 11. without CSP
- 12. Hi you! John Doe - just moments ago p0wned Ok
- 13. with CSP
- 14. Hi you! John Doe - just moments ago
- 16. inline scripts are blocked unless unsafe-inline is specified
- 18. $ curl --head https://twitter.com HTTP/1.1 200 OK content-length: 58347 content-security-policy: … report-uri https://twitter.com/csp_report violation reports:
- 19. "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src 'self'", "effective-directive": "img-src", "original-policy": "default-src 'self'; report-uri http://example.org/..." }
- 21. support for inline scripts Content-Security-Policy: script-src 'sha256-YWIzOW...'
- 23. Strict Transport Security aka HSTS
- 24. Strict Transport Security aka HSTS mechanism for preventing HTTPS to HTTP downgrades
- 25. telling the browser that your site should never be reached over HTTP
- 27. GET bank.com.au 301→ GET https://bank.com.au 200→ no HSTS, no sslstrip
- 28. GET bank.com.au → 200 no HSTS, with sslstrip
- 29. what does HSTS look like?
- 30. $ curl -i https://login.xero.com HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN
- 31. with HSTS, with sslstrip GET https://bank.com.au 200→
- 32. silent client-side redirects HTTP → HTTPS
- 33. no HTTP traffic for sslstrip to tamper with
- 34. except for the very first connection
- 36. pop quiz! how many .au sites are on the preload list?
- 43. 2015?
- 49. how common is this?
- 51. what would happen if that server were compromised?
- 53. Bad Things™ steal sessions leak confidential data redirect to phishing sites enlist DDoS zombies
- 54. simple solution
- 57. You owe me $10.00. f4243c12541be6f79c73e539c426e07a f2f6c4ef8794894f4903aee54542586d
- 58. You owe me $1000. 1ebd7a8d15a6dab743f0c4d147f731bc fc6b74752afe43afa5389ba8830a2215
- 59. guarantee: script won't change or it'll be blocked
- 60. limitation: won't work for scripts that change all the time
- 61. 3 types of scripts
- 62. dynamically-generated script: not a good fit for SRI I
- 63. immutable scripts: perfect for SRI II
- 65. what about your own scripts? (they change, but you're the one changing them)
- 66. III scripts under your control: good fit for SRI
- 67. can usually add the hashing to your static resource pipeline
- 68. #!/bin/sh cat src/*.js > bundle.js HASH=`sha256sum bundle.js |cut -f1 -d' '` mv bundle.js public/bundle-${HASH}.js
- 70. <script src=”widgets.js”> <script src=”app.js”> <script src=”menu.js”>
- 73. what else?
- 77. what about cross-origin requests?
- 78. “a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin” same-origin policy
- 81. example.com/index.html example.com/data.js: var secret = 42; evil.net/widget.js: exfiltrate(secret);
- 82. example.com/index.html example.com/data.js: var secret = 42; evil.net/widget.js: exfiltrate(secret);
- 85. on the server: Access-Control-Allow-Origin: * on the client: crossorigin=”anonymous”
- 88. cat file.js | openssl dgst -sha256 -binary | openssl enc -base64 -A
- 89. SRIhash.org
- 91. status?
- 92. spec is being finalized
- 94. demo
- 95. <html> <head> <title>Bug 992096 - Implement SRI</title> <link rel="stylesheet" href="http://localhost/francois/sri/style.css" integrity=" sha256-PgMdguwx/O1ZJKqtGj54HIScoj0UEDV4ti5tLuc4DvA=" crossorigin="anonymous"> </head> <body> <h1>This should be red if the hash matches!</h1> </body> </html>
- 99. <html> <head> <title>Bug 992096 - Implement SRI</title> <link rel="stylesheet" href="http://localhost/francois/sri/style.css" integrity=" sha256-bogus" crossorigin="anonymous"> </head> <body> <h1>This should be red if the hash matches!</h1> </body> </html>
- 102. Questions? feedback: francois@mozilla.com mozilla.dev.security public-webappsec@w3.org © 2015 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
- 103. photo credits: bank notes: https://www.flickr.com/photos/epsos/8463683689 web devs: https://www.flickr.com/photos/mbiddulph/238171366 explosion: https://www.flickr.com/photos/-cavin-/2313239884/