New CSP directive to make Subresource Integrity mandatory (`require-sri-for`)

Background

GitHub is one of the first big webistes using Subresource Integrity and can thus defend against potentially bad Content Delivery Networks (CDNs). The tricky thing with SRI is that you have to include it for every HTML tag that points to a CDN if you want the security benefit. And then, of course, it happend that someone forgot to add this and people were sad. Fortunately, they brought this to the Webappsec Working Group and discussed the matter!

Omitting the details

There have been some discussions whether this should be a parameter on script-src, style-src etc. that I would like to omit for the sake of brevity. Feel free to jump into the mailing list (linked previously) if you are curious about this.

How it works

It's simple! Just add the directive into your Content Security Policy and specify if you need this for scripts, styles or both: Content-Security-Policy: require-sri-for script style

Example:

If you are running today's Firefox Nightly (June 2nd, 2016), you should not see an alert box from html5sec.org vising this the PHP script below:

<?php
header("Content-Security-Policy: require-sri-for script style");
?>
<!-- This should load but cause a devtools warning because bootstrap requires jquery -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" iintegrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>

<!-- these shouldn't load and cause a CSP violation to be reported an alert popup indicates failure. -->
<script src="https://html5sec.org/test.js" integrity="foo"></script>
<script src="https://html5sec.org/test.js" integrity=""></script>
<script src="https://html5sec.org/test.js"></script>

(Sorry, no public demo URL ☹)

Calling for testers

This feature is relatively new, so we need some feedback from enthusiasts: Please see if you can find this useful in deployment (looking at you, GitHub folks) and you, security testers: Can you load scripts from other origins without integrity even though a require-sri-for policy is in place? But please see my notes on known issues below.

Feel free to look also into my patch, if you know a thing or two about C++ and Firefox. The implementation was discussed in Bugzilla bug 1265318 with the patches attached.

Known Issues

  • CSP violation reporting currently complains about the document URL that included the subresource instead of the subresource URL (bug 1277495.
  • <svg:script> is, technically speaking, not the same as HTML's <script>, so there are theoretical bypasses via SVG and other mechanisms that run scripts & styles without <link href> and <script src>. I couldn't bypass this using the obvious svg script tab, but this needs further investigation (bug 1277248).
  • Firefox doesn't manage to enforce the directive when the CSP is in a <meta> tag (bug 1277557).

Your Feedback

Please submit your feedback as bugs in Bugzilla using this link if you want someone to see it. I will not monitor IRC, Twitter or E-Mail over the next few months, as I am going to be on leave over the summer.

Acknowledgements

Thanks to Patrick Toomey from GitHub for raising the issue about SRI enforcement in the first place. Neil Matatall started bringing this into the SRI spec and Sergey Shekyan is currently continuing this. Thanks to the both of you! Thanks to Christoph Kerschbaumer for helping me work on the implementation and Jonathan Hao for doing the groundwork.

If you find a mistake in this article, you can submit a pull request on GitHub.

Other posts

  1. Prompt Injections and a demo (Wed 18 September 2024)
  2. The Mozilla Monument in San Francisco (Fri 05 July 2024)
  3. What is mixed content? (Sat 15 June 2024)
  4. How I got a new domain name (Sat 15 June 2024)
  5. How Firefox gives special permissions to some domains (Fri 02 February 2024)
  6. Examine Firefox Inter-Process Communication using JavaScript in 2023 (Mon 17 April 2023)
  7. Origins, Sites and other Terminologies (Sat 14 January 2023)
  8. Finding and Fixing DOM-based XSS with Static Analysis (Mon 02 January 2023)
  9. DOM Clobbering (Mon 12 December 2022)
  10. Neue Methoden für Cross-Origin Isolation: Resource, Opener & Embedding Policies mit COOP, COEP, CORP und CORB (Thu 10 November 2022)
  11. Reference Sheet for Principals in Mozilla Code (Mon 03 August 2020)
  12. Hardening Firefox against Injection Attacks – The Technical Details (Tue 07 July 2020)
  13. Understanding Web Security Checks in Firefox (Part 1) (Wed 10 June 2020)
  14. Help Test Firefox's built-in HTML Sanitizer to protect against UXSS bugs (Fri 06 December 2019)
  15. Remote Code Execution in Firefox beyond memory corruptions (Sun 29 September 2019)
  16. XSS in The Digital #ClimateStrike Widget (Mon 23 September 2019)
  17. Chrome switching the XSSAuditor to filter mode re-enables old attack (Fri 10 May 2019)
  18. Challenge Write-up: Subresource Integrity in Service Workers (Sat 25 March 2017)
  19. Finding the SqueezeBox Radio Default SSH Password (Fri 02 September 2016)
  20. New CSP directive to make Subresource Integrity mandatory (`require-sri-for`) (Thu 02 June 2016)
  21. Firefox OS apps and beyond (Tue 12 April 2016)
  22. Teacher's Pinboard Write-up (Wed 02 December 2015)
  23. A CDN that can not XSS you: Using Subresource Integrity (Sun 19 July 2015)
  24. The Twitter Gazebo (Sat 18 July 2015)
  25. German Firefox 1.0 ad (OCR) (Sun 09 November 2014)
  26. My thoughts on Tor appliances (Tue 14 October 2014)
  27. Subresource Integrity (Sun 05 October 2014)
  28. Revoke App Permissions on Firefox OS (Sun 24 August 2014)
  29. (Self) XSS at Mozilla's internal Phonebook (Fri 23 May 2014)
  30. Tales of Python's Encoding (Mon 17 March 2014)
  31. On the X-Frame-Options Security Header (Thu 12 December 2013)
  32. html2dom (Tue 24 September 2013)
  33. Security Review: HTML sanitizer in Thunderbird (Mon 22 July 2013)
  34. Week 29 2013 (Sun 21 July 2013)
  35. The First Post (Tue 16 July 2013)
π