Today, third-party JavaScript resources are indispensable part of the web platform. More than 88% of world's top websites include at least one JavaScript resource from a remote host. However, there is a great security risk behind using a third-party JavaScript resource, if an attacker can infect one of these remote JavaScript resources all websites those have included the script would be at risk. In this paper, we present JSSignature, an entirely at the client-side pure JavaScript framework in order to validate third-party JavaScript resources using digital signature. Therefore, all included JavaScript resources are checked against the integrity, authentication and non-repudiation risks before the execution. In contrary to existing methods, JSSignature protects web pages regardless of third-party resource infection nature while it does not set any restrictions on trusted JavaScript providers. This approach has an acceptable one-time performance overhead and is an easily deployable add-in. We have validated the proposed solution by applying tests on an implemented version\footnote{The source-code, resources and the working demo are available at JSSignature website.
翻译:今天,第三方 JavaScript 资源是网络平台不可或缺的一部分。 超过88%的世界顶级网站至少包括来自远程主机的1 JavaScript 资源。 但是,如果攻击者能够感染这些偏远的 JavaScript 资源,那么,如果攻击者能够感染其中的1个远程 JavaScript 资源,那么攻击者在使用第三方 JavaScript 资源后会面临巨大的安全风险。 所有包括 JavaScript 资源在内的所有世界顶级网站都包含至少1个来自远程主机的 JavaScript 资源。 本文中, 我们介绍JSSignat 签名完全位于客户端的纯JavaScript 框架, 以便使用数字签名验证第三方的 JavaScript 资源。 因此, 包括 JavaScript 的资源在使用前都要检查完整性、 认证和非反印度风险。 与现行方法相反, JSign 保护网页的网页保护网页, 而不考虑第三方资源感染的性质, 同时对可信任的 JavaScripal网站进行任何限制。 。 这种做法有可接受的一次性性操作。 。 这个方法具有可接受的一次性性网站是可部署的, 。