Follow

Very interesting, I didn’t realise that subresource integrity was entirely missing from the ESM spec. So what this would mean is that, with ESM, any code loaded from any CDN could contain a potential government backdoor. How is this not a bigger issue?

github.com/skypackjs/skypack-c

(I’m saying a government backdoor because it would most likely take a state-level actor to force a CDN company to do that but it could, of course, be a disgruntled employee or cracker.)

· · Web · 1 · 3 · 3
@aral Also worrying is the lack of subresource integrity for resources like fonts included from CSS.

https://github.com/w3c/webappsec-subresource-integrity/issues/40

While straight up injecting unauthenticated JS code is of course easier to exploit, font rendering is a big can of worms and arbitrary code execution with carefully crafted web fonts wasn't unprecedented (although, fortunately, modern browsers have much better sandboxes than IE circa 2011).

https://yomuds.blogspot.com/2012/11/cve-2011-3402-and-cool-exploit-kit_28.html

https://cve.circl.lu/cve/CVE-2011-3402
Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!