However, this scenario is not a novel concept. Over the years, awareness has fortunately morphed into best-practice doctrine, which in this case emerges from the World Wide Web Consortium (W3C) and is referred to as the Subresource Integrity (SRI) recommendation. This mechanism allows browsers to verify the integrity of an external resource, refusing to evaluate the resource if the check fails.
Let’s say a third-party provider like a Content Delivery Network (CDN) is compromised. Not checking the SRI could result in an attacker executing arbitrary code on the context of the web application with the impact only limited to what the web application can legitimately do. Indeed, Magecart, one of the most prolific cyber-criminal consortiums of all time, takes advantage of, amongst other flaws, a lack of SRI-implementation in many of their hacks.
To enforce SRI, adding two elements to the
<script> element is sufficient:
sha384digest of the content of the external resource;
crossOriginan attribute that must be set to
anonymous, indicating that the resource resides on a different origin and that the browser must not send any credentials (cookies) when fetching it.
For example, the above becomes:
<script src="http://some-cdn.com/some-library.js" integrity="sha384-+54fLHoW8AHu3nHtUxs9fW2XKOZ2ZwKHB5olRtKSDTKJIb1Na1EceFZMS8E72mzW" crossOrigin="anonymous"></script>