<script src=”https://ajax. googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js” integrity=”type:text/javascript sha512-AODL7idgffQeNsYdTzut09nz9AINcjhj4jHD72HcLirsidbC8tz+dof7gceOCQD8WskeuRFfJ9CsgZTHlMiOYg==”></script>

Integrity protection for3rd-party JavaScript

François Marier @fmarier mozilla

FirefoxSecurity & Privacy

Web Platform

Web Platform

Content Security Policyaka CSP

Content Security Policyaka CSP

mechanism for preventing XSS

telling the browser what externalcontent is allowed to load

what does CSP look like?

$ curl --head https://mega.nzHTTP/1.1 200 OKContent-Type: text/htmlContent-Length: 1989Content-Security-Policy:default-src 'self' *.mega.co.nz

*.mega.nz http://*.mega.co.nzhttp://*.mega.nz;

script-src 'self' mega.co.nz mega.nzdata: blob:;

style-src 'self' 'unsafe-inline'*.mega.co.nz *.mega.nz data: blob:;

frame-src 'self' mega:;img-src 'self' *.mega.co.nz *.mega.nz

data: blob:

Hi you<script>alert('p0wned');</script>!

Tweet!

What's on your mind?

(of course, in a real web application,this would never be a problem)

(the JS would be filtered outduring input sanitisation)

without CSP

Hi you!Freedom Fighter @whaledumper - just moments ago

p0wned

Ok

with CSP

Hi you!Freedom Fighter @whaledumper - just moments ago

Content-Security-Policy:

script-src 'self'

https://cdn.example.com

inline scripts are blocked unlessunsafe-inline is specified

directives:script-srcobject-srcstyle-srcimg-srcmedia-srcframe-srcmarquee-srcfont-src

connect-src

directives:script-srcobject-srcstyle-srcimg-srcmedia-srcframe-srcmarquee-srcfont-src

connect-src

$ curl --head https://twitter.comHTTP/1.1 200 OKcontent-length: 58347content-security-policy: …report-uri https://twitter.com/csp_report

violation reports:

"csp-report": { "document-uri":

"http://example.org/page.html", "referrer":

"http://evil.example.com/haxor.html", "blocked-uri":

"http://evil.example.com/image.png", "violated-directive":

"default-src 'self'", "effective-directive":

"img-src", "original-policy":

"default-src 'self';report-uri http://example.org/..."

}

new directives

form-action

plugin-types

support for inline scripts

Content-Security-Policy:

script-src 'sha256-YWIzOW...'

https://connect.microsoft.com/IE/feedback/details/793746/ie11-feature-request-support-for-the-content-security-policy-header

HTTP StrictTransport Security

aka HSTS

HTTP StrictTransport Security

aka HSTS

mechanism for preventingHTTPS to HTTP downgrades

telling the browser that your siteshould never be reached over HTTP

GET asb.co.nz 301→

GET https://asb.co.nz 200→

no HSTS, no sslstrip

GET asb.co.nz → 200

no HSTS, with sslstrip

what does HSTS look like?

$ curl -i https://login.xero.comHTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Strict-Transport-Security: max-age=31536000X-Frame-Options: SAMEORIGIN

with HSTS, with sslstrip

GET https://asb.co.nz 200→

silent client-side redirectsHTTP → HTTPS

no HTTP traffic forsslstrip to tamper with

except for the veryfirst connection

https://hstspreload.appspot.com/

pop quiz!

how many .nz sites areon the preload list?

$ grep \\.nz force-https.json

{ "name": "mega.co.nz" },

{ "name": "api.mega.co.nz" },

http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

wanna know more?

https://speakerdeck.com/fmarier/defeating-cross-site-scripting-with-content-security-policy-updated

2015?

no need to addany extra headers

https://ajax.googleapis.com

/ajax/libs/jquery/1.8.0/

jquery.min.js

how common is this?

what would happen if thatserver were compromised?

Bad Things™steal sessionsleak confidential dataredirect to phishing sitesenlist DDoS zombies

simple solution

<scriptsrc=”https://ajax.googleapis.com...”>

instead of this:

<scriptsrc=”https://ajax.googleapis.com...”

integrity=”sha256-1z4uG/+cVbhShP...”>

do this:

You owe me $10.00.

f4243c12541be6f79c73e539c426e07af2f6c4ef8794894f4903aee54542586d

You owe me $1000.

1ebd7a8d15a6dab743f0c4d147f731bcfc6b74752afe43afa5389ba8830a2215

guarantee:script won't changeor it'll be blocked

limitation:won't work for scriptsthat change all the time

3 types of scripts

dynamically-generated script:

not a good fit for SRI

https://ajax.googleapis.com

/ajax/libs/jquery/1.8.0/

jquery.min.js

immutable scripts:

perfect for SRI

what about your own scripts?

(they change, but you'rethe one changing them)

scripts under your control:

good fit for SRI

can usually add the hashing toyour static resource pipeline

#!/bin/sh

cat src/*.js > bundle.js

HASH=`sha256sum bundle.js |cut -f1 -d' '`

mv bundle.js public/bundle-${HASH}.js

public/bundle-c2498bc358....js

Cache-Control: max-age=∞

<script src=”widgets.js”><script src=”app.js”><script src=”menu.js”>

<script src=”bundle-c2498bc....js”>

<script src=”bundle-c2498bc....js” integrity=”sha256-c2498bc...”>

what else?

integrity=”

sha256-1z4uG/+cVbhShP...

”

integrity=”

type:application/javascript

sha256-1z4uG/+cVbhShP...

”

integrity=”

type:application/javascript

sha512-AODL7idgffQeNs...

”

integrity=”

type:application/javascript

sha256-1z4uG/+cVbhShP...

sha384-RqG7UC/QK2TVRa...

sha512-AODL7idgffQeNs...

”

<link rel="stylesheet"

href="style.css"

integrity="sha256-PgMdguwx/O...">

stylesheet support

violation reports

Content-Security-Policy:

integrity-policy block

violation reports

Content-Security-Policy:

integrity-policy report;

report-uri https://...

cat file.js

| openssl dgst -sha256 -binary

| openssl enc -base64 -A

SRIhash.org

status?

spec is approaching“last call”

(initial implementations)

© 2015 François Marier <francois@mozilla.com>This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 License.

Questions?

feedback:

francois@mozilla.commozilla.dev.securitypublic-webappsec@w3.org

photo credits:

bank notes: https://www.flickr.com/photos/epsos/8463683689

web devs: https://www.flickr.com/photos/mbiddulph/238171366

explosion: https://www.flickr.com/photos/-cavin-/2313239884/