The Last Watchdog

JUNE 30, 2021

Today’s websites integrate dozens of third-party service providers, from user analytics to marketing tags, CDNs , ads, media and these third-party services load their code and content into the browser directly. Companies like Google , Dropbox , Twitter and others have successfully adopted W3C and HTML5 security standards like CSP, SRI, etc.

IT 126

IT Risk Mining Analytics 126

Troy Hunt

MAY 1, 2018

In that post, I talked about the benefits of subresource integrity or as we often know it, SRI. Edge now joins the other major browsers in rejecting any script which doesn't hash down to the value specified in the integrity tag. This has been a long time coming.

IT 49

IT Security Government 49

Troy Hunt

APRIL 19, 2018

Let me paraphrase: Bank: We're thinking of using SRI to protect malicious modification of scripts we load in from a partner. Me: Ok, but be conscious that means they can never change those scripts without you first modifying the integrity attribute on your script tags and you need time to push that out so as not to break the site.

Security 47

Security IT 47

Troy Hunt

JUNE 30, 2022

We also use hashes when implementing subresource integrity (SRI) on websites to ensure external dependencies haven't been modified. Every time this very blog loads Font Awesome from Cloudflare's CDN, for example, it's verified against the hash in the integrity attribute of the script tag (view source for yourself).

Passwords 122

Passwords IT Mining Consumer Services 122

Troy Hunt

FEBRUARY 11, 2018

This tag was in the source code over at secure.donaldjtrump.com/donate-homepage yet it was pulling script directly off Igor Escobar's GitHub repository for the project. We have a very robust, well-proven defence for this in subresource integrity (SRI). Now, imagine if Igor took a dislike to Trump. And that's the paradox.

Libraries 97

Libraries Risk Government IT 97