[Owasp-leaders] 3rd Party JavaScript Management Cheatsheet

Akash Mahajan akash.mahajan at owasp.org
Fri Apr 15 10:50:29 UTC 2016


Hi Rogan,

I think you are talking about Sub Resource Integrity. Some links that can
be references

https://www.w3.org/TR/SRI/
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
https://googlechrome.github.io/samples/subresource-integrity/
http://githubengineering.com/subresource-integrity/


On 15 April 2016 at 15:11, Rogan Dawes <rogan at dawes.za.net> wrote:

> My google-fu is weak today, but I'm pretty sure I recall reading about a
> mechanism to provide a checksum of an included resource in the including
> page, such that the browser will reject any content that does not match the
> checksum. That seems like a valuable addition to this cheat sheet, to me.
>
>
> On Fri, Apr 15, 2016 at 10:02 AM Kim Carter <kim.carter at owasp.org> wrote:
>
>> Excellent! Doesn't seem to be anything there though...
>>
>>
>>
>>
>> Kim Carter
>>
>> OWASP New Zealand Chapter Leader (Christchurch)
>>
>> Author of *Holistic Info-Sec for Web Developers*
>> <https://leanpub.com/b/holisticinfosecforwebdevelopers>
>>
>> c: +64 274 622 607
>>
>>
>>
>>
>>
>>
>>
>> On 15/04/16 09:10, Taras wrote:
>>
>> Hi!
>>
>> It's a very interesting topic and good cheatsheet! My suggestions are:
>> 1. Add some code examples
>> 2. Add some diagrams to illustrate Server Direct flow
>> 3. What about using SRI (https://www.w3.org/TR/SRI/)? Can we use it
>> here?
>> 4. What about using iframe from different domain (e.g. static data
>> host) as "jail" for such 3rd party code? We can make communication
>> between the host and this iframe with postMessage
>>
>>
>> В Пн, 11/04/2016 в 16:41 -1000, Jim Manico пишет:
>>
>> Hello folks,
>>
>> Jim Weiler from the OWASP Boston chapter just released a cheatsheet
>> on 3rd party JavaScript management. I think this is a solid and very
>> interesting piece of work. It address a security concern which many
>> website operators face.
>>
>> Take a look, your feedback is - as always - appreciated.
>> https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat
>> _Sheet
>>
>> Aloha,
>> Jim Manico
>>
>>
>>  _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Warm regards,
Akash Mahajan

*That Web Application Security Guy* | +91 99 805 271 82
akashm.com | *@makash* on twitter | linkd.in/webappsecguy
*OWASP Bangalore Chapter Lead | null Community Manager*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160415/9efdbf69/attachment.html>


More information about the OWASP-Leaders mailing list