Missing check for SRI (Subresource Integrity) support

[JasonCTang]

Describe the Bug The third-party links/scripts don't have integrity attribute for the browser to confirm they didn't compromised.

Subresource Integrity (SRI) is a method that allows web application developers to ensure that resources hosted on third party services such as Content Delivery Networks (CDN) has been delivered without any unexpected modifications.

The user-agent can't verify scripts from third-party services. In case of compromise of the third-party service, the user is not protected. script and link tags with src from another domain are not supporting integrity check. This can be exploited if the service that have the script is compromise.

Affected URLS

• https://test-aest-sims.apps.silver.devops.gov.bc.ca:443/supporting-users
• https://test-aest-sims.apps.silver.devops.gov.bc.ca:443/supporting-users/login
• https://test-aest-sims.apps.silver.devops.gov.bc.ca:443/institution
• https://test-aest-sims.apps.silver.devops.gov.bc.ca:443/institution/institution-profile/edit
• https://test-aest-sims.apps.silver.devops.gov.bc.ca:443/institution/login
• https://test-aest-sims.apps.silver.devops.gov.bc.ca/ministry
• https://test-aest-sims.apps.silver.devops.gov.bc.ca/ministry/login

Recommended Fix Add Subresource Integrity to every script/link with source not in your domain - See scan results documentation.

Additional Information

• Associated scan reports: https://bcgov.sharepoint.com/:f:/r/teams/03177/Shared%20Documents/DEVS/Releases/WAVA%20Scan/main-3112?csf=1&web=1&e=6GBeY3

• Fix recommendation from the report.

  Add Subresource Integrity to every script/link with source not in your domain
  W3C Subresource Integrity:
  https://www.w3.org/TR/SRI/https://www.w3.org/TR/SRI/external
  SRI Hash Generator:
  https://srihash.orghttps://srihash.orgexternal
  Sample Script Element Not Supporting SRI:

  <script src="https://example.com/example-framework.js"
  crossorigin="anonymous"></script>

  Sample Script Element Supporting SRI:

  <script src="https://example.com/example-framework.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"></script>

Technical

• [ ] Add the recommended fix for the CDN URLs for bootstrap and form.io adding the properties integrity and crossorigin. If not possible the resources can be moved to our source base.
• [ ] Nice to have, investigate why nginx headers like Content-Security-Policy are not present while accessing the web portal. If this investigation fix is not possible create a ticket to investigate it. It can be tested locally using the web docker.

[andrewsignori-aot]

Demo

SRI (Subresource Integrity)

Please note form.io CDN is no longer used.

Content-security-policy