Friday, May 22 • 11:55 - 12:40
Using A JavaScript CDN That Can Not XSS You - With Subresource Integrity

Sign up or log in to save this to your schedule and see who's attending!

Today, web applications commonly use a rich set of assets, such as JavaScript libraries or fonts. To perform well, these web applications have to rely on third party content delivery networks (CDNs) for performance. But how secure are these CDN providers? A compromised or a rogue CDN may harm thousands of web pages. A recent breach in jQuery.com confirms that it's a good security exercise not having to trust your content delivery network.
This talk will focus on a new web standard, called Subresource Integrity (SRI), which aims to help web developers to prevent rogue third party scripts compromising their web page. SRI achieves this by allowing the developer to provide a hash of the expected content in order to detect and prevent undesired changes. The talk will also cover the current standardization process by highlighting the security considerations faced, as well as the implementation status in modern browsers.


Frederik Braun

Security at Mozilla

Friday May 22, 2015 11:55 - 12:40
E104&105 Amsterdam RAI

Attendees (0)