i working on scenario in javascript files hosted on cdn. want have mechanism when these file downloaded on user side, can ensure files not tampered , indeed coming specified cdn.
i understand task easy if using ssl, still, want ensure right files served on http without ssl.
as far search, there no existing mechanism digital signature javascript files supported across platforms. perhaps it's not needed?
is there method built in browsers verify author of javascript files? there can do in secure way?
as matter of fact, feature currently being drafted under name of subresource integrity. look integrity attribute of <script> tag. while not yet adopted across board, fulfills purpose.
integritycontains inline metadata user agent can use verify fetched resource has been delivered free of unexpected manipulation. see subresource integrity.
subresource integrity (sri) security feature enables browsers verify files fetch (for example, cdn) delivered without unexpected manipulation. works allowing provide cryptographic hash fetched file must match.
example:
<script src="https://example.com/example-framework.js" integrity="sha384-oqvuafxrkap7fdgccy5uykm6+r9gqq8k/uxy9rx7hnqlgyl1kpzqho1wx4jwy8wc" crossorigin="anonymous"></script> note will not protect against man in middle attacks if transferring resources via plain http. in case, hash code can spoofed attacker, rendering defense against manipulated script files useless.
for reason, should use secure https connections instead of plain http in addition security measures described above.
Comments
Post a Comment