undefined | Better HN

0 pointsbawolff8mo ago0 comments

While i agree that is better than nothing, i've always had my doubts about this approach.

Do people really audit such code? I doubt it. Does the code really not insert any additional code that allows bypassing the whole scheme (esp. If the point is to dynamically insert content).

I also think most of the time, the biggest threat is not the vendor being intentionally evil but the vendor making a mistake that leads to XSS which someone else exploits. After all, if the vendor is intentionally being malicious they can probably sneakily bypass this sort of thing.

0 comments

tasn8mo ago

How is that different to any other library? Supply chain risk is a big problem.

bawolffOP8mo ago

Supply chain risk gets all the headlines, but personally i think its a bit overhyped.

That said, things like SRI don't really fully fix the supply chain issue. Supply chain issues usually mean the developer intentionally upgrades to a new version, that unbeknownst to them is malicious. It is usually not about a resource getting replaced with nobody realizing it, everyone realizes the upgrade is happening. In such a situation it is likely SRI hashes would get upgraded too.

Solutions like hashes or digital signatures are useless if the person being tricked is the one responsible for signing things.

j / k navigate · click thread line to collapse