{"id":102,"date":"2015-09-02T18:51:21","date_gmt":"2015-09-02T18:51:21","guid":{"rendered":"http:\/\/fluentreports.com\/blog\/?p=102"},"modified":"2015-09-02T18:59:17","modified_gmt":"2015-09-02T18:59:17","slug":"adding-external-resource-security","status":"publish","type":"post","link":"http:\/\/fluentreports.com\/blog\/?p=102","title":{"rendered":"Adding External Resource Security"},"content":{"rendered":"<p><a href=\"http:\/\/fluentreports.com\/blog\/wp-content\/uploads\/2015\/09\/lock-143616_1280.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-105\" src=\"http:\/\/fluentreports.com\/blog\/wp-content\/uploads\/2015\/09\/lock-143616_1280-300x200.jpg\" alt=\"lock-143616_1280\" width=\"300\" height=\"200\" srcset=\"http:\/\/fluentreports.com\/blog\/wp-content\/uploads\/2015\/09\/lock-143616_1280-300x200.jpg 300w, http:\/\/fluentreports.com\/blog\/wp-content\/uploads\/2015\/09\/lock-143616_1280-1024x682.jpg 1024w, http:\/\/fluentreports.com\/blog\/wp-content\/uploads\/2015\/09\/lock-143616_1280-624x416.jpg 624w, http:\/\/fluentreports.com\/blog\/wp-content\/uploads\/2015\/09\/lock-143616_1280.jpg 1280w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a>In a lot of larger web sites it is pretty common that you use several third party resources like JavaScript.\u00a0\u00a0 However, this is a potential malicious door into your customers computer via your website.\u00a0\u00a0 What happens if the third party resource is changed by someone who does not have your best interests at heart.\u00a0 Your page will still happily load the malware right onto your customers browsers.\u00a0\u00a0\u00a0 So what can you do about this?<\/p>\n<p>Well I'm glad you asked. \u00a0 In the just released Chrome 45 (and soon in an upcoming Firefox release), they have added a awesome new feature to protect your customers (and your reputation).\u00a0\u00a0 When you link to any resources in your web page; you can now use the <strong>integrity<\/strong> attribute to tell the browser that this file must match this hash to load and use this file.<\/p>\n<p>So &lt;script ... <strong>integrity<\/strong>=\"sha256-some_sha256_hash\"&gt; or &lt;link... <strong>integrity<\/strong>=\"sha384-some_sha384_hash\"&gt;<\/p>\n<p>The browser integrity attribute must support the sha 256, 384 and 512 hashes according to the <a href=\"https:\/\/w3c.github.io\/webappsec\/specs\/subresourceintegrity\" target=\"_blank\">w3 spec<\/a>. For browsers that don't support this yet; then this won't do anything and the resources will load fine just like normal.\u00a0 But in browsers that do support this; when the browser downloads the resource it will hash it and verify the hash matches before allowing it to be used.<\/p>\n<p>On Linux you can generate the hash by doing:<br \/>\n<code>cat the_file_resource | openssl dgst -sha256 -binary | openssl enc -base64 -A<\/code><span class=\"Apple-converted-space\"><br \/>\n<\/span><\/p>\n<p>On Windows if you have openssl installed you can do:<br \/>\n<code>type the_file_resource | openssl dgst -sha256 -binary | openssl enc -base64 -A<\/code><span class=\"Apple-converted-space\"><br \/>\n<\/span><\/p>\n<p>Or if you don't have openssl installed; you can also easily cheat by using Chrome.\u00a0\u00a0 Just add the integrity with a bogus value; then reload the page.\u00a0\u00a0 Chrome in the developer log will show you the computed hash for the file when it blocks it.<\/p>\n<p>For the full W3 Spec: <a href=\"https:\/\/w3c.github.io\/webappsec\/specs\/subresourceintegrity\/\">https:\/\/w3c.github.io\/webappsec\/specs\/subresourceintegrity\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a lot of larger web sites it is pretty common that you use several third party resources like JavaScript.\u00a0\u00a0 However, this is a potential malicious door into your customers computer via your website.\u00a0\u00a0 What happens if the third party resource is changed by someone who does not have your best interests at heart.\u00a0 Your&hellip; <a class=\"more-link\" href=\"http:\/\/fluentreports.com\/blog\/?p=102\">Continue reading <span class=\"screen-reader-text\">Adding External Resource Security<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[20,3,5],"tags":[24,25,26,22,23,21],"class_list":["post-102","post","type-post","status-publish","format-standard","hentry","category-browser","category-javascript","category-security","tag-browser","tag-chrome","tag-firefox","tag-javascript","tag-resources","tag-security","entry"],"_links":{"self":[{"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=102"}],"version-history":[{"count":4,"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/102\/revisions"}],"predecessor-version":[{"id":107,"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/102\/revisions\/107"}],"wp:attachment":[{"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=102"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/fluentreports.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}