Today, web applications commonly use a rich set of assets, such as JavaScript libraries or fonts. To perform well, these web applications have to rely on third party content delivery networks (CDNs) for performance. But how secure are these CDN providers? A compromised or a rogue CDN may harm thousands of web pages. A recent breach in jQuery.com confirms that it's a good security exercise not having to trust your content delivery network. This talk will focus on a new web standard, called Subresource Integrity (SRI), which aims to help web developers to prevent rogue third party scripts compromising their web page. SRI achieves this by allowing the developer to provide a hash of the expected content in order to detect and prevent undesired changes. The talk will also cover the current standardization process by highlighting the security considerations faced, as well as the implementation status in modern browsers.
