|
6 | 6 | <p> |
7 | 7 | Including a resource from an untrusted source or using an untrusted channel may |
8 | 8 | allow an attacker to include arbitrary code in the response. |
9 | | - When including an external resource (eg., a <code>script</code> element or an |
| 9 | + When including an external resource (for example, a <code>script</code> element or an |
10 | 10 | <code>iframe</code> element) on a page, it is important to ensure that the received |
11 | 11 | data is not malicious. |
12 | 12 | </p> |
13 | 13 |
|
14 | 14 | <p> |
15 | | - When including external resources, it is possible to verify that the origin (the server |
16 | | - that responds to the request) is the intended one by using an <code>https</code> URL. |
| 15 | + When including external resources, it is possible to verify that the responding server |
| 16 | + is the intended one by using an <code>https</code> URL. |
17 | 17 | This prevents a MITM (man-in-the-middle) attack where an attacker might have been able |
18 | 18 | to spoof a server response. |
19 | 19 | </p> |
20 | 20 |
|
21 | 21 | <p> |
22 | | - Even when <code>https</code> is used, an attacker might still compromise the origin server. |
23 | | - When using a <code>script</code> element, checking for <em>subresource integrity</em> |
24 | | - (checking the contents of the data received by supplying a cryptographic digest of the |
25 | | - expected sources to the script element) is possible. The script will only load sources |
26 | | - that match the digest and an attacker will be unable to modify the script even when the |
27 | | - server is compromised. |
| 22 | + Even when <code>https</code> is used, an attacker might still compromise the server. |
| 23 | + When you use a <code>script</code> element, you can check for subresource integrity - |
| 24 | + that is, you can check the contents of the data received by supplying a cryptographic |
| 25 | + digest of the expected sources to the <code>script</code> element. The script will only |
| 26 | + load sources that match the digest and an attacker will be unable to modify the script |
| 27 | + even when the server is compromised. |
28 | 28 | </p> |
29 | 29 |
|
30 | 30 | <p> |
31 | 31 | Subresource integrity checking is commonly recommended when importing a fixed version of |
32 | | - a library, eg., from a CDN (content-delivery network). Then, the fixed digest of that |
33 | | - version of the library can easily be added to the <code>script</code> element's |
| 32 | + a library - for example, from a CDN (content-delivery network). Then, the fixed digest |
| 33 | + of that version of the library can easily be added to the <code>script</code> element's |
34 | 34 | <code>integrity</code> attribute. |
35 | 35 | </p> |
36 | 36 | </overview> |
37 | 37 |
|
38 | 38 | <recommendation> |
39 | 39 | <p> |
40 | | - When an <code>iframe</code> element is used to embed a page, it is important to use a |
| 40 | + When an <code>iframe</code> element is used to embed a page, it is important to use an |
41 | 41 | <code>https</code> URL. |
42 | 42 | </p> |
43 | 43 |
|
44 | 44 | <p> |
45 | | - When using a <code>script</code> element to load a script, it is important to use a |
| 45 | + When using a <code>script</code> element to load a script, it is important to use an |
46 | 46 | <code>https</code> URL and to consider checking subresource integrity. |
47 | 47 | </p> |
48 | 48 | </recommendation> |
|
0 commit comments