Describe the Bug
The third-party links/scripts don't have integrity attribute for the browser to confirm they didn't compromised.
Subresource Integrity (SRI) is a method that allows web application developers to ensure that resources hosted on third party services such as Content Delivery Networks (CDN) has been delivered without any unexpected modifications.
The user-agent can't verify scripts from third-party services. In case of compromise of the third-party service, the user is not protected.
script and link tags with src from another domain are not supporting integrity check.
This can be exploited if the service that have the script is compromise.
Add Subresource Integrity to every script/link with source not in your domain
W3C Subresource Integrity:
https://www.w3.org/TR/SRI/https://www.w3.org/TR/SRI/external
SRI Hash Generator:
https://srihash.orghttps://srihash.orgexternal
Sample Script Element Not Supporting SRI:
[ ] Add the recommended fix for the CDN URLs for bootstrap and form.io adding the properties integrity and crossorigin. If not possible the resources can be moved to our source base.
[ ] Nice to have, investigate why nginx headers like Content-Security-Policy are not present while accessing the web portal. If this investigation fix is not possible create a ticket to investigate it. It can be tested locally using the web docker.
Describe the Bug The third-party links/scripts don't have integrity attribute for the browser to confirm they didn't compromised.
Subresource Integrity (SRI) is a method that allows web application developers to ensure that resources hosted on third party services such as Content Delivery Networks (CDN) has been delivered without any unexpected modifications.
The user-agent can't verify scripts from third-party services. In case of compromise of the third-party service, the user is not protected. script and link tags with src from another domain are not supporting integrity check. This can be exploited if the service that have the script is compromise.
Affected URLS
Recommended Fix Add Subresource Integrity to every script/link with source not in your domain - See scan results documentation.
Additional Information
Associated scan reports: https://bcgov.sharepoint.com/:f:/r/teams/03177/Shared%20Documents/DEVS/Releases/WAVA%20Scan/main-3112?csf=1&web=1&e=6GBeY3
Fix recommendation from the report.
Sample Script Element Supporting SRI:
Technical
integrity
andcrossorigin
. If not possible the resources can be moved to our source base.Content-Security-Policy
are not present while accessing the web portal. If this investigation fix is not possible create a ticket to investigate it. It can be tested locally using the web docker.