[Owasp-leaders] 3rd Party JavaScript Management Cheatsheet

Ryan Barnett ryan.barnett at owasp.org
Fri Apr 15 12:59:01 UTC 2016


New Content Security Policy (CSP) has checksum support - https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Refactoring_inline_code

Additionally, I would recommend some references to the following -
DOMPurify - https://github.com/cure53/DOMPurify
MentalJS - https://github.com/hackvertor/MentalJS
Both of these can be used by sites to sandbox/clean DOM data.  If these are called up in the HTML header prior to other 3rd party JS code calls, it can provide protections.

-Ryan

From:  <owasp-leaders-bounces at lists.owasp.org> on behalf of Rogan Dawes <rogan at dawes.za.net>
Date:  Friday, April 15, 2016 at 5:41 AM
To:  Kim Carter <kim.carter at owasp.org>, <owasp-leaders at lists.owasp.org>
Subject:  Re: [Owasp-leaders] 3rd Party JavaScript Management Cheatsheet

My google-fu is weak today, but I'm pretty sure I recall reading about a mechanism to provide a checksum of an included resource in the including page, such that the browser will reject any content that does not match the checksum. That seems like a valuable addition to this cheat sheet, to me.


On Fri, Apr 15, 2016 at 10:02 AM Kim Carter <kim.carter at owasp.org> wrote:
    
 Excellent! Doesn't seem to be anything there though...
 
 
 
 
 
 
  
 

Kim Carter
 

OWASP New Zealand Chapter Leader (Christchurch)
 

Author of Holistic Info-Sec for Web Developers
 

 c:  +64 274 622 607 
 
 
 
 

 
 
 
 
 
 
 On 15/04/16 09:10, Taras wrote:
 
 
 
Hi!

It's a very interesting topic and good cheatsheet! My suggestions are:
1. Add some code examples
2. Add some diagrams to illustrate Server Direct flow
3. What about using SRI (https://www.w3.org/TR/SRI/)? Can we use it
here?
4. What about using iframe from different domain (e.g. static data
host) as "jail" for such 3rd party code? We can make communication
between the host and this iframe with postMessage


В Пн, 11/04/2016 в 16:41 -1000, Jim Manico пишет:
 
 
Hello folks,

Jim Weiler from the OWASP Boston chapter just released a cheatsheet
on 3rd party JavaScript management. I think this is a solid and very
interesting piece of work. It address a security concern which many
website operators face.

Take a look, your feedback is - as always - appreciated.

https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat
_Sheet

Aloha,
Jim Manico


 _______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
 
  
 
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
 
 
 
 
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
_______________________________________________ OWASP-Leaders mailing list OWASP-Leaders at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-leaders 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160415/bdf1e6ec/attachment.html>


More information about the OWASP-Leaders mailing list