integrity protection for third-party javascript
TRANSCRIPT
![Page 1: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/1.jpg)
<script src=”https://ajax. googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js” integrity=”type:text/javascript sha512-AODL7idgffQeNsYdTzut09nz9AINcjhj4jHD72HcLirsidbC8tz+dof7gceOCQD8WskeuRFfJ9CsgZTHlMiOYg==”></script>
Integrity protection for3rd-party JavaScript
François Marier @fmarier mozilla
![Page 2: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/2.jpg)
FirefoxSecurity & Privacy
![Page 3: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/3.jpg)
Web Platform
![Page 4: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/4.jpg)
Web Platform
![Page 5: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/5.jpg)
![Page 6: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/6.jpg)
Content Security Policyaka CSP
![Page 7: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/7.jpg)
Content Security Policyaka CSP
mechanism for preventing XSS
![Page 8: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/8.jpg)
telling the browser what externalcontent is allowed to load
![Page 9: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/9.jpg)
what does CSP look like?
![Page 10: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/10.jpg)
$ curl --head https://mega.nzHTTP/1.1 200 OKContent-Type: text/htmlContent-Length: 1989Content-Security-Policy:default-src 'self' *.mega.co.nz
*.mega.nz http://*.mega.co.nzhttp://*.mega.nz;
script-src 'self' mega.co.nz mega.nzdata: blob:;
style-src 'self' 'unsafe-inline'*.mega.co.nz *.mega.nz data: blob:;
frame-src 'self' mega:;img-src 'self' *.mega.co.nz *.mega.nz
data: blob:
![Page 11: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/11.jpg)
Hi you<script>alert('p0wned');</script>!
Tweet!
What's on your mind?
![Page 12: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/12.jpg)
(of course, in a real web application,this would never be a problem)
![Page 13: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/13.jpg)
(the JS would be filtered outduring input sanitisation)
![Page 14: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/14.jpg)
without CSP
![Page 15: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/15.jpg)
Hi you!Freedom Fighter @whaledumper - just moments ago
p0wned
Ok
![Page 16: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/16.jpg)
with CSP
![Page 17: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/17.jpg)
Hi you!Freedom Fighter @whaledumper - just moments ago
![Page 18: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/18.jpg)
Content-Security-Policy:
script-src 'self'
https://cdn.example.com
![Page 19: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/19.jpg)
inline scripts are blocked unlessunsafe-inline is specified
![Page 20: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/20.jpg)
directives:script-srcobject-srcstyle-srcimg-srcmedia-srcframe-srcmarquee-srcfont-src
connect-src
![Page 21: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/21.jpg)
directives:script-srcobject-srcstyle-srcimg-srcmedia-srcframe-srcmarquee-srcfont-src
connect-src
![Page 22: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/22.jpg)
$ curl --head https://twitter.comHTTP/1.1 200 OKcontent-length: 58347content-security-policy: …report-uri https://twitter.com/csp_report
violation reports:
![Page 23: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/23.jpg)
"csp-report": { "document-uri":
"http://example.org/page.html", "referrer":
"http://evil.example.com/haxor.html", "blocked-uri":
"http://evil.example.com/image.png", "violated-directive":
"default-src 'self'", "effective-directive":
"img-src", "original-policy":
"default-src 'self';report-uri http://example.org/..."
}
![Page 24: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/24.jpg)
![Page 25: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/25.jpg)
new directives
form-action
plugin-types
![Page 26: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/26.jpg)
support for inline scripts
Content-Security-Policy:
script-src 'sha256-YWIzOW...'
![Page 27: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/27.jpg)
https://connect.microsoft.com/IE/feedback/details/793746/ie11-feature-request-support-for-the-content-security-policy-header
![Page 28: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/28.jpg)
![Page 29: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/29.jpg)
HTTP StrictTransport Security
aka HSTS
![Page 30: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/30.jpg)
HTTP StrictTransport Security
aka HSTS
mechanism for preventingHTTPS to HTTP downgrades
![Page 31: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/31.jpg)
telling the browser that your siteshould never be reached over HTTP
![Page 32: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/32.jpg)
![Page 33: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/33.jpg)
GET asb.co.nz 301→
GET https://asb.co.nz 200→
no HSTS, no sslstrip
![Page 34: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/34.jpg)
GET asb.co.nz → 200
no HSTS, with sslstrip
![Page 35: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/35.jpg)
what does HSTS look like?
![Page 36: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/36.jpg)
$ curl -i https://login.xero.comHTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Strict-Transport-Security: max-age=31536000X-Frame-Options: SAMEORIGIN
![Page 37: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/37.jpg)
with HSTS, with sslstrip
GET https://asb.co.nz 200→
![Page 38: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/38.jpg)
silent client-side redirectsHTTP → HTTPS
![Page 39: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/39.jpg)
no HTTP traffic forsslstrip to tamper with
![Page 40: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/40.jpg)
except for the veryfirst connection
![Page 42: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/42.jpg)
pop quiz!
how many .nz sites areon the preload list?
![Page 43: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/43.jpg)
$ grep \\.nz force-https.json
{ "name": "mega.co.nz" },
{ "name": "api.mega.co.nz" },
![Page 44: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/44.jpg)
http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx
![Page 45: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/45.jpg)
![Page 46: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/46.jpg)
![Page 47: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/47.jpg)
![Page 48: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/48.jpg)
wanna know more?
https://speakerdeck.com/fmarier/defeating-cross-site-scripting-with-content-security-policy-updated
![Page 49: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/49.jpg)
2015?
![Page 50: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/50.jpg)
no need to addany extra headers
![Page 51: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/51.jpg)
![Page 52: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/52.jpg)
![Page 53: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/53.jpg)
![Page 54: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/54.jpg)
![Page 55: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/55.jpg)
https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js
![Page 56: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/56.jpg)
how common is this?
![Page 57: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/57.jpg)
![Page 58: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/58.jpg)
what would happen if thatserver were compromised?
![Page 59: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/59.jpg)
![Page 60: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/60.jpg)
Bad Things™steal sessionsleak confidential dataredirect to phishing sitesenlist DDoS zombies
![Page 61: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/61.jpg)
simple solution
![Page 62: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/62.jpg)
<scriptsrc=”https://ajax.googleapis.com...”>
instead of this:
![Page 63: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/63.jpg)
<scriptsrc=”https://ajax.googleapis.com...”
integrity=”sha256-1z4uG/+cVbhShP...”>
do this:
![Page 64: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/64.jpg)
You owe me $10.00.
f4243c12541be6f79c73e539c426e07af2f6c4ef8794894f4903aee54542586d
![Page 65: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/65.jpg)
You owe me $1000.
1ebd7a8d15a6dab743f0c4d147f731bcfc6b74752afe43afa5389ba8830a2215
![Page 66: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/66.jpg)
guarantee:script won't changeor it'll be blocked
![Page 67: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/67.jpg)
limitation:won't work for scriptsthat change all the time
![Page 68: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/68.jpg)
3 types of scripts
![Page 69: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/69.jpg)
dynamically-generated script:
not a good fit for SRI
![Page 70: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/70.jpg)
https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js
![Page 71: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/71.jpg)
immutable scripts:
perfect for SRI
![Page 72: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/72.jpg)
what about your own scripts?
(they change, but you'rethe one changing them)
![Page 73: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/73.jpg)
scripts under your control:
good fit for SRI
![Page 74: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/74.jpg)
can usually add the hashing toyour static resource pipeline
![Page 75: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/75.jpg)
#!/bin/sh
cat src/*.js > bundle.js
HASH=`sha256sum bundle.js |cut -f1 -d' '`
mv bundle.js public/bundle-${HASH}.js
![Page 76: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/76.jpg)
public/bundle-c2498bc358....js
Cache-Control: max-age=∞
![Page 77: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/77.jpg)
<script src=”widgets.js”><script src=”app.js”><script src=”menu.js”>
![Page 78: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/78.jpg)
<script src=”bundle-c2498bc....js”>
![Page 79: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/79.jpg)
<script src=”bundle-c2498bc....js” integrity=”sha256-c2498bc...”>
![Page 80: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/80.jpg)
what else?
![Page 81: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/81.jpg)
integrity=”
sha256-1z4uG/+cVbhShP...
”
![Page 82: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/82.jpg)
integrity=”
type:application/javascript
sha256-1z4uG/+cVbhShP...
”
![Page 83: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/83.jpg)
integrity=”
type:application/javascript
sha512-AODL7idgffQeNs...
”
![Page 84: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/84.jpg)
integrity=”
type:application/javascript
sha256-1z4uG/+cVbhShP...
sha384-RqG7UC/QK2TVRa...
sha512-AODL7idgffQeNs...
”
![Page 85: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/85.jpg)
<link rel="stylesheet"
href="style.css"
integrity="sha256-PgMdguwx/O...">
stylesheet support
![Page 86: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/86.jpg)
violation reports
Content-Security-Policy:
integrity-policy block
![Page 87: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/87.jpg)
violation reports
Content-Security-Policy:
integrity-policy report;
report-uri https://...
![Page 88: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/88.jpg)
cat file.js
| openssl dgst -sha256 -binary
| openssl enc -base64 -A
![Page 90: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/90.jpg)
![Page 91: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/91.jpg)
status?
![Page 92: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/92.jpg)
spec is approaching“last call”
![Page 93: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/93.jpg)
(initial implementations)
![Page 94: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/94.jpg)
© 2015 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 License.
Questions?
feedback:
[email protected]@w3.org
![Page 95: Integrity protection for third-party JavaScript](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a5fe5a1a28abc2738b48c8/html5/thumbnails/95.jpg)
photo credits:
bank notes: https://www.flickr.com/photos/epsos/8463683689
web devs: https://www.flickr.com/photos/mbiddulph/238171366
explosion: https://www.flickr.com/photos/-cavin-/2313239884/