Lack of interest Subresource Integrity (SRI) support

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.

WoodiE

Well-known member
Xenforo gives us the option to load jQuery from outside sources (such as Google, Microsoft, and jQuery CDN's) via the AdminCP.

It would be great, that instead of just linking directly to the .js file as it currently does, that Xenforo also added the Subresource Integrity (SRI) hash as well. I would think this would be a minor and quick addition to Xenforo that would provide every Xenforo forum another layer of security.

Basically turning this:
HTML:
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>

into this:
HTML:
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js" integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4= sha384-xBuQ/xzmlsLoJpyjoggmTEz8OWUFM0/RC5BsqQBDX2v5cMvDHcMakNTNrHIW2I5f sha512-3P8rXCuGJdNZOnUx/03c1jOTnMn3rP63nBip5gOP2qmUh5YAdVAvFZ1E+QLZZbC1rtMrQb+mah3AfYW11RUrWA==" crossorigin="anonymous"></script>

So why add SRI support? Because it adds a layer of security that can potentially help prevent running malicious code should those linked to .js files are edited. As was the case with TextHelp, which affected thousands of sites and caused them to run crypto-miner software. Or in the most recent case where credit card info on the UK Ticketmaster site was being sent to an attacker. Even Bootstrap has had a similar issue in the past.

Sure the chance may or may not be very likely this ever happening, but really this is such an easy thing to implement in the core and something that would give every forum that one extra layer of security.

Hope you guys consider adding this!
 
Upvote 1
This suggestion has been closed. Votes are no longer accepted.

WoodiE

Well-known member
British Airlines was breached last week due to a compromised version of a javascript library - https://www.riskiq.com/blog/labs/magecart-british-airways-breach/

Today, it's been announced that Newegg has also fallen victim to this same type of attack -https://www.riskiq.com/blog/labs/magecart-newegg/

Troy Hunt and John Elliott have a great video on Pluralsight on how to protect against these types of attacks, of course they mention SRI.


@Mike This would be a trivial to implement into the core of Xenforo yet protect us against people trying to inject malicious code into our forums - be it cryptomining, password stealing or whatever.

Here are some great resources about the subject:

How to implement SRI in your build process
https://hacks.mozilla.org/2016/04/how-to-implement-sri-into-your-build-process/

SRI Hash Generator
https://www.srihash.org/

How to implement Subresource Integrity (SRI)
http://www.ethanjoachimeldridge.info/tech-blog/implementing-subresource-integrity-sri

Protecting your embedded content with subresource integrity (SRI)
https://www.troyhunt.com/protecting-your-embedded-content-with-subresource-integrity-sri/
 
Top