8000 Add SRI to hotlinking examples · Issue #326 · pyscript/pyscript · GitHub
[go: up one dir, main page]
Skip to content

Add SRI to hotlinking examples #326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mflaxman opened this issue May 10, 2022 · 11 comments
Closed

Add SRI to hotlinking examples #326

mflaxman opened this issue May 10, 2022 · 11 comments
Labels
backlog issue has been triaged but has not been earmarked for any upcoming release type: feature New feature or request

Comments

@mflaxman
Copy link

Given the security implications of pyscript, it makes sense to recommend SRI when hotlinking pyscript.js:

<script
    defer
    src="https://pyscript.net/alpha/pyscript.js"
    integrity="sha384-IwRwL1M346tP5zp9BKvjinCQC8x78+d+KCeRonZ6gO4XgSBop4cJegZ+SV++AhMR"
    crossorigin="anonymous"
></script>

Integrity check was calculated successfully as follows:

$ curl https://pyscript.net/alpha/pyscript.js | openssl dgst -sha384 -binary | openssl base64 -A
IwRwL1M346tP5zp9BKvjinCQC8x78+d+KCeRonZ6gO4XgSBop4cJegZ+SV++AhMR

Of course this will create issues when updating pyscript.js, so these links really should be version-pinned (I assume that's what /alpha/ means in this context).
@mflaxman mflaxman added the needs-triage Issue needs triage label May 10, 2022
@verhulstm
Copy link
Contributor

which security implications of pyscript?

@mflaxman
Copy link
Author
8000 mflaxman commented May 11, 2022

An example:

  1. Webpage imports pyscript.js using only the recommended method: <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
  2. pyscript.net has previously been compromised to serve a malware version of pyscript.js
  3. Code that is believed to do X actually does Y thanks to malware

This is not a theoretical example, let's say you want to build an app that encrypts data. How could you know that you weren't interacting with malware that was stealing your private keys? SRI is built to solve this problem (and many others).

@ckavidas
Copy link

I think there was an issue related to setting up a CDN (#309) and this should be a requirement underneath that issue no?

@mflaxman
Copy link
Author

I think you want SRI regardless of whether you use a 3rd party CDN or whether you use pyscript.net as your CDN. From the perspective of the app developer, both are 3rd parties.

Having an official hash digest is great, because then ultimately developers don't care who serves up that JS. Using SRI nearly eliminates the risk that a third party has tampered with pyscript.js. In other words, even if pyscript.js were published on a CDN (or many), I'd want to get the hash digest directly from the project authors.

@verhulstm
Copy link
Contributor

the security implications of pyscript are the same as the security implications of JS and WASM right?

what is special or different about pyscript?

@verhulstm
Copy link
Contributor
verhulstm commented May 11, 2022
edited
Loading

it seem to me you are saying all new web projects that pull code from a CDN should use SRI?

@verhulstm
Copy link
Contributor

i am trying to ask if you know of a specific security implication of pyscript that does not also exist in JS or WASM?

@ckavidas
Copy link
ckavidas commented May 11, 2022
edited
Loading

the security implications of pyscript are the same as the security implications of JS and WASM right?

what is special or different about pyscript?

They are the same security implications that would exist with any third party dependency (example: bootstrap). SRI exists to help ensure the integrity of the software aka:
"This software came from vendor_x (whom I have implicit trust in) because it included hash_y in the official release of the software"

This would certainly make people more comfortable about including pyscript in their websites since it would minimize the impact of the source of the pyscript files being compromised since any compromise would (in 99.999999999999999999999% of the time) produce a hash different from the one in the website thus failing the integrity check.

@verhulstm
Copy link
< 8000 span aria-label="This user has previously committed to the pyscript repository." data-view-component="true" class="tooltipped tooltipped-n"> Contributor

i thinks we should be able to enable SRI

@antocuni antocuni added type: feature New feature or request and removed needs-triage Issue needs triage labels May 13, 2022
@antocuni antocuni mentioned this issue May 13, 2022
Closed
@fpliger
Copy link
Contributor
fpliger commented May 19, 2022

Thanks @mflaxman , this is a great suggestion. It's definitely worth exploring/considering after we get #337 sorted.

@marimeireles marimeireles added the backlog issue has been triaged but has not been earmarked for any upcoming release label Oct 4, 2022
@WebReflection
Copy link
Contributor

I am not sure why semver or any other versioning would solve the inherent issue described in here, but that decision has been made and we still land on CDN and I think that's the right thing to do.

Closing until further explanations or reasons around this issue ... we're almost CSP complaint too, if the hash for the Worker and the WASM source is enabled, so I think this issue can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog issue has been triaged but has not been earmarked for any upcoming release type: feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@WebReflection @antocuni @mflaxman @fpliger @verhulstm @marimeireles @ckavidas
0