<div dir="ltr">My google-fu is weak today, but I'm pretty sure I recall reading about a mechanism to provide a checksum of an included resource in the including page, such that the browser will reject any content that does not match the checksum. That seems like a valuable addition to this cheat sheet, to me.<div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Apr 15, 2016 at 10:02 AM Kim Carter <<a href="mailto:kim.carter@owasp.org">kim.carter@owasp.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Excellent! Doesn't seem to be anything there though...<br>
    <br>
    <img src="cid:part1.06040004.09080001@owasp.org" alt=""><br>
    <br>
    <br>
    <div>
      <div> <img src="cid:part2.07070008.05020908@owasp.org" style="margin:0 20px 20px 0;display:inline;float:left">
        <div style="float:left;margin-top:0px">
          <p style="display:block;margin:0px;color:#4a5da1;font-size:16px;font-weight:800;margin:0 0 5px 0">Kim
            Carter</p>
          <p style="display:block;color:#4a5da1;font-size:12px;margin:0 0 5px 0">OWASP New Zealand Chapter Leader
            (Christchurch)</p>
          <p style="display:block;color:#4a5da1;font-size:12px;margin:0 0 5px 0">Author of <a href="https://leanpub.com/b/holisticinfosecforwebdevelopers" target="_blank"><b>Holistic
                Info-Sec for Web Developers</b></a></p>
          <p style="display:block;color:#4a5da1;margin:0 0 5px 0"> <abbr title="cellular phone" style="font-weight:800">c:</abbr>
            <span> +64 274 622 607</span> </p>
        </div>
      </div>
    </div></div><div bgcolor="#FFFFFF" text="#000000">
    <div><br>
      <br>
      <br>
      <br>
      <br>
      <br>
      <br>
      On 15/04/16 09:10, Taras wrote:<br>
    </div>
    <blockquote type="cite">
      <pre>Hi!

It's a very interesting topic and good cheatsheet! My suggestions are:
1. Add some code examples
2. Add some diagrams to illustrate Server Direct flow
3. What about using SRI (<a href="https://www.w3.org/TR/SRI/" target="_blank">https://www.w3.org/TR/SRI/</a>)? Can we use it
here?
4. What about using iframe from different domain (e.g. static data
host) as "jail" for such 3rd party code? We can make communication
between the host and this iframe with postMessage


В Пн, 11/04/2016 в 16:41 -1000, Jim Manico пишет:
</pre>
      <blockquote type="cite">
        <pre>Hello folks,

Jim Weiler from the OWASP Boston chapter just released a cheatsheet
on 3rd party JavaScript management. I think this is a solid and very
interesting piece of work. It address a security concern which many
website operators face.

Take a look, your feedback is - as always - appreciated.

<a href="https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat" target="_blank">https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat</a>
_Sheet

Aloha,
Jim Manico


 _______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
        <br>
        <fieldset></fieldset>
        <br>
        <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
      </blockquote>
    </blockquote>
    <br>
  </div>

_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
</blockquote></div>