<script src=”https://ajax.googl eapis.com/ajax/libs/jquery/1.8. 0/jquery.min.js” integrity=”typ e:text/javascript sha512-AODL7i dgffQeNsYdTzut09nz9AINcjhj4jHD7 2HcLirsidbC8tz+dof7gceOCQD8Wske uRFfJ9CsgZTHlMiOYg==”></script>
Integrity protection for3rd-party JavaScript
François Marier @fmarier mozilla
FirefoxSecurity & Privacy
Web Platform
Web Platform
Content Security Policyaka CSP
Content Security Policyaka CSP
mechanism for preventing XSS
telling the browser what externalcontent is allowed to load
what does CSP look like?
$ curl --head https://mega.nzHTTP/1.1 200 OKContent-Type: text/htmlContent-Length: 1989Content-Security-Policy:
default-src 'self' *.mega.co.nz *.mega.nzhttp://*.mega.co.nz http://*.mega.nz;
script-src 'self' mega.co.nz mega.nz data:blob:;
style-src 'self' 'unsafe-inline' *.mega.nz*.mega.co.nz data: blob:;
frame-src 'self' mega:;img-src 'self' *.mega.co.nz *.mega.nz data:
Hi you<script>alert('p0wned');</script>!
Tweet!
What's on your mind?
without CSP
Hi you!John Doe - just moments ago
p0wnedOk
with CSP
Hi you!John Doe - just moments ago
Content-Security-Policy:
script-src 'self'
https://cdn.example.com
inline scripts are blocked unlessunsafe-inline is specified
script-srcobject-srcstyle-srcimg-srcmedia-srcframe-srcfont-src
connect-src
$ curl --head https://twitter.comHTTP/1.1 200 OKcontent-length: 58347content-security-policy: …report-uri https://twitter.com/csp_report
violation reports:
"csp-report": { "document-uri":
"http://example.org/page.html", "referrer":
"http://evil.example.com/haxor.html", "blocked-uri":
"http://evil.example.com/image.png", "violated-directive": "default-src 'self'", "effective-directive": "img-src", "original-policy":
"default-src 'self';report-uri http://example.org/..."
}
support for inline scripts
Content-Security-Policy:
script-src 'sha256-YWIzOW...'
Strict Transport Securityaka HSTS
Strict Transport Securityaka HSTS
mechanism for preventingHTTPS to HTTP downgrades
telling the browser that your siteshould never be reached over HTTP
GET bank.com.au 301→
GET https://bank.com.au 200→
no HSTS, no sslstrip
GET bank.com.au → 200
no HSTS, with sslstrip
what does HSTS look like?
$ curl -i https://login.xero.comHTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Strict-Transport-Security: max-age=31536000X-Frame-Options: SAMEORIGIN
with HSTS, with sslstrip
GET https://bank.com.au 200→
silent client-side redirectsHTTP → HTTPS
no HTTP traffic forsslstrip to tamper with
except for the veryfirst connection
https://hstspreload.appspot.com/
pop quiz!how many .au sites are
on the preload list?
aurainfosec.com.aubcm.com.aubigbrownpromotions.com.aucomssa.org.audata.qld.gov.audreamsforabetterworld.com.audylanscott.com.aufatzebra.com.aufreethought.org.aunetrider.net.aupublications.qld.gov.autechnotonic.com.authomastimepieces.com.autracktivity.com.autradingcentre.com.auwebandwords.com.au
16
aurainfosec.com.aubcm.com.aubigbrownpromotions.com.aucomssa.org.audata.qld.gov.audreamsforabetterworld.com.audylanscott.com.aufatzebra.com.aufreethought.org.aunetrider.net.aupublications.qld.gov.autechnotonic.com.authomastimepieces.com.autracktivity.com.autradingcentre.com.auwebandwords.com.au
2015?
https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js
how common is this?
what would happen if thatserver were compromised?
Bad Things™
steal sessionsleak confidential dataredirect to phishing sitesenlist DDoS zombies
simple solution
instead of this:
<scriptsrc=”https://ajax.googleapis.com...”>
<scriptsrc=”https://ajax.googleapis.com...”integrity=”sha256-1z4uG/+cVbhShP...”>
do this:
You owe me $10.00.
f4243c12541be6f79c73e539c426e07af2f6c4ef8794894f4903aee54542586d
You owe me $1000.
1ebd7a8d15a6dab743f0c4d147f731bcfc6b74752afe43afa5389ba8830a2215
guarantee:script won't changeor it'll be blocked
limitation:won't work for scriptsthat change all the time
3 types of scripts
dynamically-generated script:
not a good fit for SRI
I
immutable scripts:
perfect for SRI
II
https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js
what about your own scripts?
(they change, but you'rethe one changing them)
IIIscripts under your control:
good fit for SRI
can usually add the hashing toyour static resource pipeline
#!/bin/sh
cat src/*.js > bundle.js
HASH=`sha256sum bundle.js |cut -f1 -d' '`
mv bundle.js public/bundle-${HASH}.js
public/bundle-c2498bc358....js
Cache-Control: max-age=∞
<script src=”widgets.js”><script src=”app.js”><script src=”menu.js”>
<script src=”bundle-c2498bc....js”>
<script src=”bundle-c2498bc....js” integrity=”sha256-c2498bc...”>
what else?
integrity=”
sha256-9Cm9ekBvKrtQ0A...
“ sha256-rKSr3LcX+EkeM=...
sha256-1z4uG/+cVbhShP...
sha384-RqG7UC/QK2TVRa...
sha512-AODL7idgffQeNs...
”
integrity=”
sha256-9Cm9ekBvKrtQ0A...
sha256-rKSr3LcX+EkeM=...
sha256-1z4uG/+cVbhShP...
“ sha384-RqG7UC/QK2TVRa...
sha512-AODL7idgffQeNs...
”
integrity=”
sha256-9Cm9ekBvKrtQ0A...
sha256-rKSr3LcX+EkeM=...
sha256-1z4uG/+cVbhShP...
sha384-RqG7UC/QK2TVRa...
sha512-AODL7idgffQeNs...
”
what about cross-origin requests?
“a web browser permits scripts contained in a firstweb page to access data in a second web page,but only if both web pages have the same origin”
same-origin policy
example.com/index.html
example.com/index.html
example.com/data.js:
var secret = 42;
example.com/index.html
example.com/data.js:
var secret = 42;
evil.net/widget.js:
exfiltrate(secret);
example.com/index.html
example.com/data.js:
var secret = 42;
evil.net/widget.js:
exfiltrate(secret);
on the server:
Access-Control-Allow-Origin: *
on the server:
Access-Control-Allow-Origin: *
on the client:
crossorigin=”anonymous”
<script
src=”https://ajax.googleapis.com...”
integrity=”sha256-1z4uG/+cVbhShP...”
crossorigin=”anonymous”>
complete example:
<link rel="stylesheet"
href="style.css"
integrity="sha256-PgMdguwx/O..."
crossorigin=”anonymous”>
complete example:
cat file.js
| openssl dgst -sha256 -binary
| openssl enc -base64 -A
SRIhash.org
status?
spec is being finalized
(initial implementations)
demo
<html><head> <title>Bug 992096 - Implement SRI</title> <link rel="stylesheet" href="http://localhost/francois/sri/style.css" integrity=" sha256-PgMdguwx/O1ZJKqtGj54HIScoj0UEDV4ti5tLuc4DvA=" crossorigin="anonymous"></head>
<body> <h1>This should be red if the hash matches!</h1></body></html>
h1 { color: red;}
<html><head> <title>Bug 992096 - Implement SRI</title> <link rel="stylesheet" href="http://localhost/francois/sri/style.css" integrity=" sha256-bogus" crossorigin="anonymous"></head>
<body> <h1>This should be red if the hash matches!</h1></body></html>
Questions?feedback:
[email protected]@w3.org
© 2015 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 License.
photo credits:
bank notes: https://www.flickr.com/photos/epsos/8463683689
web devs: https://www.flickr.com/photos/mbiddulph/238171366
explosion: https://www.flickr.com/photos/-cavin-/2313239884/
Top Related