Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

interlock-signed #59

Closed
12 tasks
divmain opened this issue Sep 19, 2015 · 4 comments
Closed
12 tasks

interlock-signed #59

divmain opened this issue Sep 19, 2015 · 4 comments
Assignees
@divmain
Labels
archive feature

Comments

@divmain
Copy link
Member

divmain commented Sep 19, 2015

Implement the interlock-signed plugin.

This plugin will ensure that bundles have not been tampered with, and allow for trusted use of third-party hosting for bundles (such as a public CDN). The general implementation will be as follows:

  • add an additional provider with the following behavior:
    • on load: check for a global variable containing a map of bundle filenames to their SHA-1 hashes
    • on load: if global variable not found, notify the user with an alert() and set internal state such that any requests go to the next runtime bundle provider
    • on module request: if the module is not contained within a hashed bundle, fall back to the next runtime module provider
    • on module request: if module is contained within a hashed bundle, create an XHR request for the bundle in question, rather than a script tag
    • on request success: when XHR 200 response comes back, generate a SHA-1 hash of the bundle's raw text [1]
    • on request success: if the hash does not match, notify the user with an alert()
    • on request success: if the hash does match, create a new <script> tag with a src value of data:text/javascript,... [2]
  • add transform to emitRawBundles step
    • generate SHA-1 hashes of bundle.raw values [1]
    • create map of bundle filenames to SHA-1 hashes
    • append output file to array of bundles, which when loaded sets a global variable that contains the filename:SHA-1 map

Constraints:

  • script containing hashes must be loaded as a separate script or inlined into the HTML on initial page load
  • server hosting signed bundles must support XHR requests for the loaded site

[1] http://www.movable-type.co.uk/scripts/sha1.html
[2] https://developer.mozilla.org/en-US/Add-ons/Code_snippets/Rosetta, line 45 of code sample
@divmain divmain added this to the v1.0 milestone Sep 19, 2015
@baer
Copy link
Member

baer commented Sep 19, 2015

This is a killer feature for PCI compliance

@divmain
Copy link
Member Author

divmain commented Sep 20, 2015

That's actually what prompted this idea :)

@divmain divmain self-assigned this Sep 29, 2015
@divmain divmain added the next label Sep 29, 2015
@divmain
Copy link
Member Author

divmain commented Mar 4, 2016

Consider using SubtleCrypto for minimal impact to bundle size.

@divmain
Copy link
Member Author

divmain commented Mar 12, 2016

Moved to interlockjs/plugins#6.

@divmain divmain closed this as completed Mar 12, 2016
@divmain divmain added archive and removed next labels Mar 12, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@divmain divmain

Labels
archive feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@baer @divmain