The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries
Troy Hunt
FEBRUARY 11, 2018
This tag was in the source code over at secure.donaldjtrump.com/donate-homepage yet it was pulling script directly off Igor Escobar's GitHub repository for the project. What could you do if you could modify that script and subsequently cause your own arbitrary JavaScript to execute on Trump's website? It was the US Courts too.
Let's personalize your content