tasvideos icon indicating copy to clipboard operation
tasvideos copied to clipboard
verified publisher icon TASVideos

Use Subresource Integrity on all `<script/>`s and `<link/>`s

Open YoshiRulz opened this issue 3 years ago • 2 comments

MDN

This appears to be used for Bootstrap and Font Awesome currently.

YoshiRulz avatar Sep 28 '22 23:09 YoshiRulz

Are there third-party resources where we don't currently use the integrity attribute?

Masterjun3 avatar Sep 28 '22 23:09 Masterjun3

No, or at least not on the landing page.

Array.from(document.querySelectorAll("script, link"))
	.filter(e => !e.hasAttribute("integrity"))
	.map(e => e.src || e.href)
	.filter(s => !s.startsWith("https://tasvideos.org"))
// => Array []

YoshiRulz avatar Sep 28 '22 23:09 YoshiRulz

We decided to not put integrity hashes on script tags.

  1. We converted to no inline script usage, and put a CSP to disable them. All script tags now reference a .js file
  2. We can trust that the referenced file on our server is what we think it is. Or inversely, if someone can take control of the .js files on our server, they can easily take control of the html as well, so this restriction does not add any additional security

It will makes sense to have integrity checks on all 3rd party referenced .js files as we do not control what happens to their server

adelikat avatar Jun 21 '24 18:06 adelikat