Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere. This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.

1. <script src=”https://ajax.
googleapis.com/ajax/libs/j
query/1.8.0/jquery.min.js”
integrity=”type:text/javas
cript sha512-AODL7idgffQeN
sYdTzut09nz9AINcjhj4jHD72H
cLirsidbC8tz+dof7gceOCQD8W
skeuRFfJ9CsgZTHlMiOYg==”><
/script>
Integrity protection for
3rd
-party JavaScript
François Marier @fmarier mozilla

2. Firefox
Security & Privacy

3. Web Platform

4. Web Platform

6. Content Security Policy
aka CSP

7. Content Security Policy
aka CSP
mechanism for preventing XSS

8. telling the browser what external
content is allowed to load

9. what does CSP look like?

10. $ curl --head https://mega.nz
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1989
Content-Security-Policy:
default-src 'self' *.mega.co.nz
*.mega.nz http://*.mega.co.nz
http://*.mega.nz;
script-src 'self' mega.co.nz mega.nz
data: blob:;
style-src 'self' 'unsafe-inline'
*.mega.co.nz *.mega.nz data: blob:;
frame-src 'self' mega:;
img-src 'self' *.mega.co.nz *.mega.nz
data: blob:

11. Hi you<script>
alert('p0wned');
</script>!
Tweet!
What's on your mind?

12. (of course, in a real web application,
this would never be a problem)

13. (the JS would be filtered out
during input sanitisation)

14. without CSP

15. Hi you!
Freedom Fighter @whaledumper - just moments ago
p0wned
Ok

16. with CSP

17. Hi you!
Freedom Fighter @whaledumper - just moments ago

18. Content-Security-Policy:
script-src 'self'
https://cdn.example.com

19. inline scripts are blocked unless
unsafe-inline is specified

20. directives:
script-src
object-src
style-src
img-src
media-src
frame-src
marquee-src
font-src
connect-src

21. directives:
script-src
object-src
style-src
img-src
media-src
frame-src
marquee-src
font-src
connect-src

22. $ curl --head https://twitter.com
HTTP/1.1 200 OK
content-length: 58347
content-security-policy: …
report-uri https://twitter.com/csp_report
violation reports:

23. "csp-report": {
"document-uri":
"http://example.org/page.html",
"referrer":
"http://evil.example.com/haxor.html",
"blocked-uri":
"http://evil.example.com/image.png",
"violated-directive":
"default-src 'self'",
"effective-directive":
"img-src",
"original-policy":
"default-src 'self';
report-uri http://example.org/..."
}

25. new directives
form-action
plugin-types

26. support for inline scripts
Content-Security-Policy:
script-src 'sha256-YWIzOW...'

27. https://connect.microsoft.com/IE/feedback/details/793746/ie11-feature-request-support-for-the-content-security-policy-header

29. HTTP Strict
Transport Security
aka HSTS

30. HTTP Strict
Transport Security
aka HSTS
mechanism for preventing
HTTPS to HTTP downgrades

31. telling the browser that your site
should never be reached over HTTP

33. GET asb.co.nz 301→
GET https://asb.co.nz 200→
no HSTS, no sslstrip

34. GET asb.co.nz → 200
no HSTS, with sslstrip

35. what does HSTS look like?

36. $ curl -i https://login.xero.com
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN

37. with HSTS, with sslstrip
GET https://asb.co.nz 200→

38. silent client-side redirects
HTTP → HTTPS

39. no HTTP traffic for
sslstrip to tamper with

40. except for the very
first connection

41. https://hstspreload.appspot.com/

42. pop quiz!
how many .nz sites are
on the preload list?

43. $ grep .nz force-https.json
{ "name": "mega.co.nz" },
{ "name": "api.mega.co.nz" },

44. http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

48. wanna know more?
https://speakerdeck.com/fmarier/defeating-cross-site-scripting-with-content-security-policy-updated

49. 2015?

50. no need to add
any extra headers

55. https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js

56. how common is this?

58. what would happen if that
server were compromised?

60. Bad Things™
steal sessions
leak confidential data
redirect to phishing sites
enlist DDoS zombies

61. simple solution

62. <script
src=”https://ajax.googleapis.com...”>
instead of this:

63. <script
src=”https://ajax.googleapis.com...”
integrity=”sha256-1z4uG/+cVbhShP...”>
do this:

64. You owe me $10.00.
f4243c12541be6f79c73e539c426e07a
f2f6c4ef8794894f4903aee54542586d

65. You owe me $1000.
1ebd7a8d15a6dab743f0c4d147f731bc
fc6b74752afe43afa5389ba8830a2215

66. guarantee:
script won't change
or it'll be blocked

67. limitation:
won't work for scripts
that change all the time

68. 3 types of scripts

69. dynamically-generated script:
not a good fit for SRI

70. https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js

71. immutable scripts:
perfect for SRI

72. what about your own scripts?
(they change, but you're
the one changing them)

73. scripts under your control:
good fit for SRI

74. can usually add the hashing to
your static resource pipeline

75. #!/bin/sh
cat src/*.js > bundle.js
HASH=`sha256sum bundle.js |cut -f1 -d' '`
mv bundle.js public/bundle-${HASH}.js

76. public/bundle-c2498bc358....js
Cache-Control: max-age=∞

77. <script src=”widgets.js”>
<script src=”app.js”>
<script src=”menu.js”>

78. <script src=”bundle-c2498bc....js”>

79. <script src=”bundle-c2498bc....js”
integrity=”sha256-c2498bc...”>

80. what else?

81. integrity=”
sha256-1z4uG/+cVbhShP...
”

82. integrity=”
type:application/javascript
sha256-1z4uG/+cVbhShP...
”

83. integrity=”
type:application/javascript
sha512-AODL7idgffQeNs...
”

84. integrity=”
type:application/javascript
sha256-1z4uG/+cVbhShP...
sha384-RqG7UC/QK2TVRa...
sha512-AODL7idgffQeNs...
”

85. <link rel="stylesheet"
href="style.css"
integrity="sha256-PgMdguwx/O...">
stylesheet support

86. violation reports
Content-Security-Policy:
integrity-policy block

87. violation reports
Content-Security-Policy:
integrity-policy report;
report-uri https://...

88. cat file.js
| openssl dgst -sha256 -binary
| openssl enc -base64 -A

89. SRIhash.org

91. status?

92. spec is approaching
“last call”

93. (initial implementations)

94. © 2015 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 4.0 License.
Questions?
feedback:
francois@mozilla.com
mozilla.dev.security
public-webappsec@w3.org

95. photo credits:
bank notes: https://www.flickr.com/photos/epsos/8463683689
web devs: https://www.flickr.com/photos/mbiddulph/238171366
explosion: https://www.flickr.com/photos/-cavin-/2313239884/