/webappsec-subresource-integrity

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrity for service workers #66

Open
hlandau opened this Issue Feb 28, 2017 · 0 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@hlandau
@hlandau

hlandau commented Feb 28, 2017

I think it would be valuable to support SRI for service worker JS files.

Reasoning: There's a lot of controversy about web-based crypto applications. Namely, that they're never truly secure because they can be compromised by changing the code shipped to the client implementing the crypto, and there's a lack of visibility for client-side code updates on the web.

If a service worker could be constrained to have a specific hash, that service worker could, in turn, implement a site-specific content verification policy. It could, for example, chainload another service worker file after verifying a cryptographic signature, so it wouldn't prevent frequent updates. Applications would be free to define policies around those updates that quell any concerns about the visibility of future updates to a codebase. As an arbitrary example, signatures from multiple unrelated parties could be required. Having verified a service worker implementing such a trust policy, the use of such a service worker would be verified simply via its hash. Thus adding SRI for service workers has the potential to create a programmable root of trust for an entire website. In particular, service workers are designed to have great longevity as things a browser remembers.

I could envisage someone developing an addon that ships a preloaded list of service worker SRI pins for popular origins providing cryptographic applications. People could update their list of pins based on what they're willing to trust, which would make code updates more visible for high-security web applications.

These aren't the only use cases; if you don't find them compelling, there are others. Because a service worker has extremely powerful control over an origin, and is remembered for long periods, a compromised service worker file is potentially one of the most disastrous things that could happen to a site. I'd therefore argue that extending SRI to service workers should be a fairly high-priority item, relative to other things to which SRI might be extended, like images.

Proposed API: Add an integrity field to the options object passed to ServiceWorkerContainer.register().
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment