Should you use SRI for self-hosted scripts?
Here's a curiosity which I found while stumbling through the Sony PlayStation store.
The website loads internally hosted scripts using SRI (SubResource Integrity). Why?
Does your work require you to swipe an ID card to access the building? That seems pretty normal.
Does your work also remind you to keep your badge visible, and to challenge people who aren't wearing theirs? That also seems pretty normal. Sometimes security is breached, so we have multiple layers to keep us safe.
In Sony's case, they may know that many people have write access to the /assets/ directory, but very few can write to the product templates. So they add a further check even on code which they serve themselves.
This is defence in depth. But is it sensible?
If you're running a simple site, there's probably no benefit to this. If someone has the ability to maliciously alter a single JS file on your server, they probably have the ability to change the SRI hashes you're embedding.
But if you have a large and complicated infrastructure, it makes sense to double-check everything.
If you think I'm wrong - stick a comment in the box below.
FJ says:
For example, if a vulnerability were to affect a well-known WordPress theme, which is not unheard of, I can imagine an attack bot using the exploit to booby-trap a JavaScript library that is known to be part of the theme (something long and dense and boring like a minified jQuery file), without altering anything else. The internal SRI check would defend against this.
Marcus Downing says:
Given the constant stream of malware, clever attacks vectors, and leaks from high places, it would be wise for more companies to act like this. Don't pretend your internal security is perfect.