Integrity protection for third-party JavaScript

Content Security Policy
aka CSP

Content Security Policy
aka CSP
mechanism for preventing XSS

telling the browser what external
content is allowed to load

$ curl --head https://mega.nz
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1989
Content-Security-Policy:
default-src 'self' *.mega.co.nz
*.mega.nz http://*.mega.co.nz
http://*.mega.nz;
script-src 'self' mega.co.nz mega.nz
data: blob:;
style-src 'self' 'unsafe-inline'
*.mega.co.nz *.mega.nz data: blob:;
frame-src 'self' mega:;
img-src 'self' *.mega.co.nz *.mega.nz
data: blob:

Hi you<script>
alert('p0wned');
</script>!
Tweet!
What's on your mind?

(of course, in a real web application,
this would never be a problem)

(the JS would be filtered out
during input sanitisation)

Hi you!
Freedom Fighter @whaledumper - just moments ago
p0wned
Ok

Hi you!
Freedom Fighter @whaledumper - just moments ago

script-src 'self'
https://cdn.example.com

inline scripts are blocked unless
unsafe-inline is specified

directives:
script-src
object-src
style-src
img-src
media-src
frame-src
marquee-src
font-src
connect-src

$ curl --head https://twitter.com
HTTP/1.1 200 OK
content-length: 58347
content-security-policy: …
report-uri https://twitter.com/csp_report
violation reports:

"csp-report": {
"document-uri":
"http://example.org/page.html",
"referrer":
"http://evil.example.com/haxor.html",
"blocked-uri":
"http://evil.example.com/image.png",
"violated-directive":
"default-src 'self'",
"effective-directive":
"img-src",
"original-policy":
"default-src 'self';
report-uri http://example.org/..."
}

new directives
form-action
plugin-types

support for inline scripts
script-src 'sha256-YWIzOW...'

https://connect.microsoft.com/IE/feedback/details/793746/ie11-feature-request-support-for-the-content-security-policy-header

HTTP Strict
Transport Security
aka HSTS

HTTP Strict
Transport Security
aka HSTS
mechanism for preventing
HTTPS to HTTP downgrades

telling the browser that your site
should never be reached over HTTP

GET asb.co.nz 301→
GET https://asb.co.nz 200→
no HSTS, no sslstrip

GET asb.co.nz → 200
no HSTS, with sslstrip

$ curl -i https://login.xero.com
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN

with HSTS, with sslstrip
GET https://asb.co.nz 200→

silent client-side redirects
HTTP → HTTPS

no HTTP traffic for
sslstrip to tamper with

except for the very
first connection

https://hstspreload.appspot.com/

pop quiz!
how many .nz sites are
on the preload list?

$ grep .nz force-https.json
{ "name": "mega.co.nz" },
{ "name": "api.mega.co.nz" },

http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

wanna know more?
https://speakerdeck.com/fmarier/defeating-cross-site-scripting-with-content-security-policy-updated

no need to add
any extra headers

https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js

what would happen if that
server were compromised?

Bad Things™
steal sessions
leak confidential data
redirect to phishing sites
enlist DDoS zombies

You owe me $10.00.
f4243c12541be6f79c73e539c426e07a
f2f6c4ef8794894f4903aee54542586d

You owe me $1000.
1ebd7a8d15a6dab743f0c4d147f731bc
fc6b74752afe43afa5389ba8830a2215

guarantee:
script won't change
or it'll be blocked

limitation:
won't work for scripts
that change all the time

dynamically-generated script:
not a good fit for SRI

immutable scripts:
perfect for SRI

what about your own scripts?
(they change, but you're
the one changing them)

scripts under your control:
good fit for SRI

can usually add the hashing to
your static resource pipeline

#!/bin/sh
cat src/*.js > bundle.js
HASH=`sha256sum bundle.js |cut -f1 -d' '`
mv bundle.js public/bundle-${HASH}.js

public/bundle-c2498bc358....js
Cache-Control: max-age=∞

integrity=”
sha256-1z4uG/+cVbhShP...
”

integrity=”
type:application/javascript
”

integrity=”
sha512-AODL7idgffQeNs...
”

integrity=”
sha384-RqG7UC/QK2TVRa...
sha512-AODL7idgffQeNs...
”

violation reports
integrity-policy block

violation reports
integrity-policy report;
report-uri https://...

cat file.js
| openssl dgst -sha256 -binary
| openssl enc -base64 -A

spec is approaching
“last call”

© 2015 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 4.0 License.
Questions?
feedback:
francois@mozilla.com
mozilla.dev.security
public-webappsec@w3.org

photo credits:
bank notes: https://www.flickr.com/photos/epsos/8463683689
web devs: https://www.flickr.com/photos/mbiddulph/238171366
explosion: https://www.flickr.com/photos/-cavin-/2313239884/

Integrity protection for third-party JavaScript

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Integrity protection for third-party JavaScript (20)

More from Francois Marier (20)

Recently uploaded (20)

Integrity protection for third-party JavaScript