Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Provide optional SRI hash when displaying embed code
See original GitHub issueSome operators might prefer to embed the Offen script with an integrity attribute to prevent eventual MITM scenarios.
The embed code box in the Auditorium could provide a toggle for displaying the snippet with such an SRI value added. The default behavior should still be using no hash (as this is easier to upgrade).
Issue Analytics
- State:
- Created 3 years ago
- Comments:22 (22 by maintainers)
Top Results From Across the Web
How to use SRI hashes to secure third-party dependencies
How to use SRI hashes to secure third-party dependencies. Add a hash to make sure the CDN can only send the file you...
Read more >Subresource Integrity - Web security | MDN
Subresource Integrity (SRI) is a security feature that enables browsers ... It works by allowing you to provide a cryptographic hash that a ......
Read more >Subresource Integrity - W3C
This document specifies such a validation scheme, extending two HTML elements with an integrity attribute that contains a cryptographic hash ...
Read more >SRI hash not what is expected - Stack Overflow
I found the solution... If I change the code to get the file with File.ReadAllBytes() or WebClient.DownloadData() it works fine.
Read more >What's in Your Website? Lurking Risk From Third-party ...
To use SRI, the developer of the web app needs to provide the hashes of the ... that doesn't have a hash associated...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Unfortunately I forgot about one thing when I wrote my last comment: if you compute the hash off of a version that you fetch at runtime, the very calculation is vulnerable to MITM attacks, which is what the SRI hash is even supposed to prevent. I.e. if someone compromises the
script.jsasset somehow without you noticing, you will happily add theintegrityvalue of the compromised asset. I’m sorry I didn’t catch this earlier and I hope you didn’t invest too much time in it yet.Moving on, I can see two other ways to implement this:
Compute hash at build time
The build for
auditoriumassets could pull in the previously builtscriptassets (plural as there are multiple locales available) and compute their hashes. These values are then injected into the build as environment variables and the code could just read them fromprocess.env.SCRIPT_INTEGRITY_HASHor similar.This is probably the “safest” way to do it.
Compute hash on the server
Alternatively, the hash could be computed by the Go application at runtime. This value is then injected into the rendered HTML template for the Auditorium which can then read the hash from a global variable or similar.
Do you think that makes sense? Let me know if I should clarify anything or if you think that I’m missing something.
Hey, thank you for your feedback @hendr-ik . I think I like your suggestion more than my current implementation because it is a little bit more straight forward and more clear.
I’ll still post it here as basis for discussion:
I also created a work in progress merge where you can give some feedback on the implementation 👍
https://github.com/offen/offen/pull/730