- Главная
- →
- Архитектура и производительность фронтенда
Malicious CDNs, Evil Admins, and Third-Party Software Архитектура и производительность фронтенда
Armando Canals is a full-stack engineer and entrepreneur. He has done extensive front-end development work for some of the world’s most well-known brands, companies, and start-ups. Most recently for Apple, Inc. by re-architecting their retail web-applications to scale to a rapidly growing global user base. Today, he is one of the co-founders of the package management startup, packagecloud.io.
Тезисы
Many application developers rely on CDNs to serve assets used in day to day business. The reasons for using a CDN may vary, but the underlying fact is true: the developer doesn’t control the source of the file being served to the browser.
This means whoever controls the CDN, be it a malicious attacker, or evil administrator, controls the code that will be served to your users. Luckily, developers can now take advantage of a new specification called Subresource Integrity to mitigate such attacks.
In this talk, I will go over how subresource integrity works by explaining its purpose and the mechanism by which it verifies the files being served to browsers.
I will also go into why it matters for application developers by showing several attacks that effect anyone using a third-party JavaScript library or stylesheet.
To conclude, I’ll show how developers can use Subresource Integrity to prevent code hosted on a compromised CDN from ever reaching users. This will be done using a live example of a browser handling resources with the Integrity attribute.