Subresource Integrity (opens in new tab)

What about caching? If the HTML and the JS are both updated, but the browser receives the new version of one and the old version of another, this will break your page. (Since you'd now have to update the integrity attribute for every JS change, it means you run this risk every time you update your JS.)

To be fair, running a mismatched version of the JS could already break things if the changes are big enough, but for minor updates, the user often won't notice the difference. Now, these cases are hard failures. That's not necessarily a bad thing, but I wonder if there's a path here to tell the browser "you have an old version of the content; go get the new version."

CDNs and invalidations can be tricky, and it sounds like this could lead to things being broken more often if you're caught in the window where one piece updates before the other.

I really wish browsers could leverage this for caching across origins. If my copy of jQuery has the same SHA256 as another file the user has already downloaded, there's no need to load it again

Couldn't the great chinese firewall just intercept Github.com's HTML page as well and change the subresource integrity hashes? I thought that the Great Chinese Firewall already has the ability to penetrate SSL connections via some means.

Would love for the next generation of SRI to include signatures as an option (e.g. integrity="ed25519-<public_key>").

Hashes means you have to specify an exact version, so there's not an easy way to add integrity to things like Google's CDN for jQuery that has latest minor version update links for the major API versions of jQuery.

Of course, that means also adding a signature to the payload response (maybe an "Integrity: <hash>-<sig>" header?). So it's understandable why signatures weren't in scope for the first release.

<script src="..." is very dangerous. At best, you can vet the src and check to see if it's benign or not. Often times, that vendor and their "1-line of javascript to get our whiz-bang service" in turn loads other javascript files. I don't see how cryptographically signing the bootloader solves anything in this case. Compromised analytics or vendor javascript will still lead to total site pwnage if I'm reading this right.

It's nice that Github, Inc. likes subresource integrity. Did they put it on their web pages? As of right now, it doesn't seem to be on their home page. The next big step is for Wordpress to support it.

Subresource integrity is in some ways more important than "HTTPS Everywhere", because the MITM-as-a-service sites such as Cloudflare subvert HTTPS Everywhere. For security reasons, you might choose to serve your home page and a few security-critical pages from your own server, without using a CDN. But run everything else through the CDN, using subresource integrity to keep the CDN honest.

With subresource integrity, many items no longer need to be encrypted. This is good for security. Encryption interferes with caching, and HTTPS in front of caches means that the attack surface is larger, and includes the CDN.

(Yes, there's an argument that HTTPS conceals what the user was browsing. Not really. Checking document length will provide a good hint on what static asset was read. The pattern of document lengths requested tends to fingerprint the page being read.)

This looks like a fantastic technology to protect against maliciously injected javascript. Great to see GitHub leading the charge here and taking their security seriously.

Careful! I've seen proxies (TracFone I think) subtly modify JSON files by removing whitespace, probably in the name of download speed. That will break the hashing.

If you start seeing unexplained errors on pay-as-you-go phones, you'll know why; although if this facility gains popularity then I'm sure they'll be pressured to stop modifying content.

Edit : post below is right, nonces are only for inline scripts https://bugs.webkit.org/show_bug.cgi?id=89577

original: IIRC CSP already has hashes for resources, which also would handle this purpose.

As a side note, there's at least one CDN already hosting fake copy of bootstrap - I've seen a mlicious extension loading it in my report-uri.io logs.

This is great, but only if your CDN is not also serving your HTML files! (static sites)

Should be "sha256-..." (without dash between sha and 256)

This is nice and all, but as a security-paranoid I really wish Github would spent some effort improving their access control model. Today, Github access control is extremely course-grained, such that if I want to give someone permission to merely set labels on issues, I also have to give them permission to push arbitrary changes to the master branch. Additionally, the access control model is weird: I can define "teams" with some set of members and some set of repositories they can access, but the entire "team" must have the same access level to all repositories they can access, making it hard to define some repositories as being more sensitive than others. (Or, possibly, I've misunderstood the model, but if so that's its own problem.)

This matters: If someone wants to hack my company, they're not going to do it by hacking Github's CDN. They're going to do it by targeting particular employees -- probably focusing on those who have the least security experience. To reduce risk, I need to give each team member the least authority they need to do their job. Github is making it really hard for me to do that; I tend to have to give "admin" rights to everyone. :(

This is one of the best additions to the Web Platform as of late IMHO. Great if you run an operation with a lot of third party code coming in from sources that you don't control - even beyond the security concerns for just "keeping them honest" about the scripts they run on your page. I hope it gets adopted by all browser vendors soon.

    Widespread adoption of Subresource Integrity could
    have largely prevented the Great Cannon attack
    earlier this year.

Sorry, it wouldn't have. From the CitizenLab report [1] on the Great Cannon attacks:

    In the attack on GitHub and GreatFire.org, the GC
    intercepted traffic sent to Baidu infrastructure
    servers that host commonly used analytics, social,
    or advertising scripts.  If the GC saw a request
    for certain Javascript files on one of these servers,
    it appeared to probabilistically take one of two
    actions: it either passed the request onto Baidu’s
    servers unmolested (roughly 98.25% of the time),
    or it dropped the request before it reached Baidu
    and instead sent a malicious script back to the
    requesting user (roughly 1.75% of the time).  In
    this case, the requesting user is an individual
    outside China browsing a website making use of a
    Baidu infrastructure server (e.g., a website with
    ads served by Baidu’s ad network).  The malicious
    script enlisted the requesting user as an unwitting
    participant in the DDoS attack against GreatFire.org
    and GitHub.

So the idea is someone runs a site with:

    <script src="http://baidu.com/ads.js">

When visitors request these scripts the request passes through the "Great Cannon" which 1.75% of the time serves a different script instead. That malicious script makes lots of requests to the victim sites, and they're overloaded.

To prevent this sort of attack with SRI you would need to change your page to look like:

    <script src="http://baidu.com/ads.js"
            integrity="hash of the real ads.js">

The problem is, Baidu isn't going to be willing to commit to always serving the same ads js: they need to be able to make upgrades.

SRI is useful in the case where the entity producing the html is referencing js that they've uploaded to a third party CDN or js where they choose what version to run, but not in the normal "include a snippet and we'll do stuff to your page" model.

(To block the Great Cannon there, what would have worked would be moving the js serving to HTTPS.)

[1] https://citizenlab.org/2015/04/chinas-great-cannon/

By the way. I have an SRI tester to determine if your browser supports SRI. It's still very new and doesn't have a lot of support

https://ejj.io/sri/

The next step: A distributed, content-addressed caching system that allows the web browser to fetch the data from the fastest/nearest caching server by hash.

IPFS comes to mind.

You can use https://srihash.org to hash links and update your HTML.

This is an excellent idea. So long as you trust the server you're talking to, and it's using TLS, you can eliminate attack vectors by a compromised CDN this way.

Bravo. :)