Secure autoloading by integrity #1680
Comments
|
Out of curiosity what is the use case here? IE: How is this intended to be used in real life effectively? I was trying to think if this is something Highlight.js should consider for the future. I understand the idea of checksums for CDN resources (to prevent the resources from being replaced with malicious ones), but... I'll use an example from Highlight.js now: A LOT of users load our entire library via CDN (and additional grammar modules if they need them; we build some in). But typically (in these cases) they are pulling in the main Is this only for cases where the main I wonder if it wouldn't be more/equally important to update all the docs to make sure users (using CDNs) are loading the core JS library itself with a SHA384 |
The correct checksums copied to our service can't be compromised. |
|
@falsandtru Why not? And I'm talking about any CDN service not just This is what I was asking for clarification on... Again in other cases I'm familiar with the library itself is loaded via CDN... (then the modules are loaded from CDN)... so if the library has already been compromised then any embedded SHA384 would also be suspect. |
|
I'm expecting the following scenario.
|
|
Number one is just as simple as adding the integrity attribute to the rendered HTML? Right? |
|
Yes. |
|
@falsandtru Thanks. :) We're going to start making these digests available for Highlight.js going forward: For us it's all manual (no auto-loading) but still this might provide a nice security bump to those who want/need it. |
Prism doesn't check integrity of extension scripts with autoloading. Can you make Prism secure by checking integrity? All the integrity is listed in https://cdnjs.com/libraries/prism.
FYI: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
The text was updated successfully, but these errors were encountered: