Today, third-party JavaScript resources are indispensable part of the web platform. More than 88\% of world's top websites include at least one JavaScript resource from a remote host. However, there is a great security risk behind using a third-party JavaScript resource, if an attacker can infect one of these remote JavaScript resources all websites those have included the script would be at risk. In this paper, we present JSSignature, an entirely at the client-side pure JavaScript framework in order to validate third-party JavaScript resources using digital signature. Therefore, all included JavaScript resources are checked against the integrity, authentication and non-repudiation risks before the execution. In contrary to existing methods, JSSignature protects web pages regardless of third-party resource infection nature while it does not set any restrictions on trusted JavaScript providers. This approach has an acceptable one-time performance overhead and is an easily deployable add-in. We have validated the proposed solution by applying tests on an implemented version\footnote{The source-code, resources and the working demo are available at JSSignature website.
翻译:今天,第三方 JavaScript 资源是网络平台不可或缺的部分。 世界顶层网站中超过 88 ⁇ 世界顶层网站至少包含来自远程主机的 JavaScript 资源。 但是,如果攻击者能够感染这些偏远的 JavaScript 资源中的任何一种资源,那么,如果攻击者能够感染这些偏远的 JavaScript 资源,那么在使用第三方 JavaScript 资源后,使用第三方的 JavaScript 资源将面临巨大的安全风险。 在本文件中,我们介绍JSSignat 签名完全位于客户端纯的纯 JavaScript 框架, 以便使用数字签名验证第三方的 JavaScript 资源。 因此,所有包括 JavaScript 的资源都受到检查, 以防执行前的完整性、 认证和非反印的风险。 与现有方法相反, JSSignat 保护网页的网页, 但不对信任的 JavaScripript 供应商设置任何限制。这个办法具有可接受的一次性性性性性性性性操作管理, 和可调控点网站。我们通过对已对已安装的版本进行测试来验证了拟议解决方案。