Remotely Hosted Resources

Supply chain attacks are more common in the ecommerce space today. For example, Magecart often targets third-party, remotely hosted resources to install drivebys that skim sensitive information entered on a webpage. Using only JavaScript, attackers can mine cryptocurrencies, assert machines into a DDoS network as subordinates, and even attempt to install malware directly onto the client machine for further control and compromise.

Attackers do this by compromising a remotely hosted resource and inserting malicious code into a once trusted JavaScript resource. Then, any websites that include the script also include the malicious JavaScripts.

Recently, the security industry introduced new controls that help curb this type of attack by inserting integrity hashes into HTML elements that include remote resources. For example, Subresource Integrity (SI), a security feature that lets browsers verify resources that they fetch, expects an integrity value on the HTML element that has a hash of the remote resource's content. If the remote resource is compromised, the hash value won’t match the preconfigured and trusted hash value, and the client’s browser doesn’t load the malicious script.

For SFRA implementations, the addJs and addCss helper methods accept an integrity hash as an optional secondary argument. See the Mozilla Developer Network documentation for examples on implementing subresource integrity.

X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.