data0Jun 26, 2024

If you're still using polyfill.io you probably want to replace/remove it IMMEDIATELY. The domain has been sold and the new owners are injecting #malware (1).

If you absolutely have to use externally hosted #JavaScript and #CSS, it's a good idea to secure it with #SubresourceIntegrity (2). It's supported by most old browsers you're probably polyfilling for.

(1) https://polykill.io/
(2) https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

#polyfillio #polyfillioattack #supplychainattack

KindSpells LabsFeb 10, 2024

Our first #OpenSource release since our company was legally constituted. Not a big deal, but sort of a milestone :D.

A package to improve the security of your Astro site against #XSS attacks:
https://www.npmjs.com/package/@kindspells/astro-sri-csp

#Astrobuild #WithAstro #ContentSecurityPolicy #SubresourceIntegrity #WebSecurity

@kindspells/astro-sri-csp

An Astro plugin to compute and inject SRI hashes for script and style tags. Latest version: 0.1.6, last published: 10 minutes ago. Start using @kindspells/astro-sri-csp in your project by running `npm i @kindspells/astro-sri-csp`. There are no other projects in the npm registry using @kindspells/astro-sri-csp.

npm
Terence EdenJul 21, 2023

I've written a new blog post for #Mozilla's MDN.

https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/

All about #SubResourceIntegrity and why it is so important for securing your sites and its visitors.

Please share and provide feedback 🙂

Securing your CDN: Why and how should you use SRI | MDN Blog

Relying on external resources for your website is always fraught with risks. Learn how to protect your website and its visitors by using SRI to secure third-party content.

Aral BalkanFeb 4, 2021

Finally found the time to open a discussion on the Snowpack forums about the lack of subresource integrity (SRI) in Skypack: https://github.com/snowpackjs/snowpack/discussions/2569

(Background: my post from the end of last year titled Skypack: backdoor as a Service? https://ar.al/2020/12/30/skypack-backdoor-as-a-service/)

#skypack #snowpack #SubresourceIntegrity #SRI #security #privacy

Skypack and (lack of) subresource integrity · Discussion #2569 · snowpackjs/snowpack

WASM-powered frontend build tool. Fast, lightweight, unbundled ESM. ✌️ - snowpackjs/snowpack

Aral BalkanDec 28, 2020

If you specify subresource integrity in a script tag and then import that script also from a separate tag later on, and the source fails the integrity check, on

1. Firefox (Gecko): script doesn’t execute
2. Ungoogled Chromium (Chromium): script doesn’t execute
3. Epiphany (WebKit): script tag is blocked but script executes via the import

Not sure if Safari does the same but that’s not good.

#SubresourceIntegrity #security

ITSEC NewsMar 12, 2020
Crafty Web Skimming Domain Spoofs “https” - Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that o... more: https://krebsonsecurity.com/2020/03/crafty-web-skimming-domain-spoofs-https/ #grandwesternsteaks.com #contentsecuritypolicy #subresourceintegrity #alittlesunshine #cheneybros.inc. #thecomingstorm #denissinegubko #jeromesegura #malwarebytes #webfraud2.0 #privacy.com #ryanbarnett #publicwww #akamai #.ps
Crafty Web Skimming Domain Spoofs “https” — Krebs on Security

rugk OLD ACCOUNTNov 26, 2018
We had #SRI #SubresourceIntegrity for a while now, And we now have also #ES6 modules, but they totally cannot be combined. Either you use SRI or ES6 modules… https://discourse.mozilla.org/t/using-sri-for-es6-module-import/33749 #js
Using SRI for ES6 module import?

Are there any ideas to add a way to add Subresource Integrity for ES6 modules, so you can import a JS module and ensure its integrity? IMHO it is very important to preserve that new security feature for this new loading method. Also asked on Stackoverflow.

Show threadrugk OLD ACCOUNTNov 22, 2018

@x_cli @varx First, BTW, all browsers nowadays have very secure sandboxes – as if CHrome would be effectively better here. Also Firefox e.g. introduced multi-processes (electrolysis) architectures and also improved the speed quite a lot.
(There may rather be privacy problems with Chrome though: https://social.wiuwiu.de/@rugk/101111620938232666)

Anyway, yes, that's a problem, but (theoretically) a solved one: #SubresourceIntegrity (#SRI) can e.g. be used.

rugk (@[email protected])

Attached: 1 image Any maintainer for private web services/websites here? Better now add a "notranslate" meta tag to ask Google Chrome/ium to stop sending all your private user data to #Google. (Note you cannot prevent it as a web admin though.) #Chrome #Chromium #privacy

social.wiuwiu.de