-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Implement Automatic Integrity Checks #15
Comments
We thought about the same but decided not to go for it because of 2 reasons:
It is a pain really for external scripts that can change without notice (GA, CF, etc.). I think the way to think about it is:
For self-hosted scripts though it is different, and we do inject integrity hashes for scripts that are generated as part of the build process - based on the assumption that the local script cannot be compromised at the time of build. My personal opinion is that I'm fine with it as long as it is an option. |
Interesting, thanks for your input! I agree that we shouldn't be adding integrity checks for any remote script that isn't versioned (and not bundled). For example useScriptNpm, this has a When bundling scripts and serving them with the app, in my mind, it should be safe enough. For example, we can download Google Analytics at build time and serve it for the duration of that release. I think the chances of Google breaking old script APIs is low due to the nature of browser caching, even if they do Here's an example: useScript('https://static.cloudflareinsights.com/beacon.min.js', { assetStrategy: 'bundle' }) We download this script and serve it under a hash, meaning it gets transformed to something like this: useScript({
src: '/__script/<hash>.js',
integrity: '...'
}) The only issue from this will arise if Cloudflare modifies the API the script talks to, this is still a risk but a low one and the consequences are minimal. If the user is opting it then I see no issue. |
Ah got it, you are proposing this as part of In that case fully agree that it's fine. And also agree that serious providers always update their APIs with backwards-compatibility in mind. Never heard of GA breaking old scripts. The only remaining issue is when you bundle a compromised version of the remote script. Setting in stone a snapshot of that script prevents the user from benefiting from future security patches. But this has nothing to do with integrity - unfortunately that's a consequence of bundling. |
To improve the security of using third-party scripts, we're able to compute the integrity of a script at build time and inject it within the
<script>
tag.For example, we can do something like this:
-->
This would provide a window between builds that would block potential attackers from modifying the script with malicious code. If a script source has already been attacked when the integrity is computed it wouldn't do anything useful.
@vejja Would be great to have your input on this 🙏
The text was updated successfully, but these errors were encountered: