Home

Geeklog: What I Learnt Today / Adam

SRi - Sub Resource integrity

> Was being asked about the security of a site recently due to a false flag on an automated site security tester. One of the things that came up on the forum the query was placed on was that the site didn't use SRI.
Amazing how everyone on forum knows everything, so whilst restraining myself from saying pointing out all the things they said that were wrong, started reading about SRI which turns out to be Subresource integrity.
The site had recently moved to using a subdomain to serve the images and static stuff like css and js in order to speed up the site. Turns out that subresource integrity is a new W3C Candidate https://w3c.github.io/webappsec-subresource-integrity/.
It is aimed at verifying that when a site is calling resources from a remote resource such as a CDN that the resources returned match that expected and the content have not been modified by some outside agent.
For example the page example.com/index.html loads css from cdn.example.com/layout.css but has no idea if cdn.example.com/layout.css is what it expects or has been modified by some malicious agent so all the text is pink. (possibly by militant my little pony fan girls)
SRI allows example.com/index.html link tag to include a hash of what the called resource should be
<link rel="stylesheet" href="//cdn.example.com/layout.css" integrity="HASH M6kredJcxdsqkczBUjMLvqyHb1KHASH">
With HASHM6kredJcxdsqkczBUjMLvqyHb1KHASH being a hash of layout.css. This integrity attribute can be used by the user agent in this case a browser to avoid executing malicious or substituted code. If you think that the remote resource could be a script and you really don't want some random javascript injected in your page. Mozilla have a good explanation at https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity. Currently it seems only supported only in the browsers you would expect Chrome, Firefox and Opera (http://caniuse.com/#search=SRi)

/ Adam