interlock-signed - Githubissues

divmain commented 8 years ago

Implement the interlock-signed plugin.

This plugin will ensure that bundles have not been tampered with, and allow for trusted use of third-party hosting for bundles (such as a public CDN). The general implementation will be as follows:

[ ] add an additional provider with the following behavior:
- [ ] on load: check for a global variable containing a map of bundle filenames to their SHA-1 hashes
- [ ] on load: if global variable not found, notify the user with an alert() and set internal state such that any requests go to the next runtime bundle provider
- [ ] on module request: if the module is not contained within a hashed bundle, fall back to the next runtime module provider
- [ ] on module request: if module is contained within a hashed bundle, create an XHR request for the bundle in question, rather than a script tag
- [ ] on request success: when XHR 200 response comes back, generate a SHA-1 hash of the bundle's raw text [1]
- [ ] on request success: if the hash does not match, notify the user with an alert()
- [ ] on request success: if the hash does match, create a new <script> tag with a src value of data:text/javascript,... [2]
[ ] add transform to emitRawBundles step
- [ ] generate SHA-1 hashes of bundle.raw values [1]
- [ ] create map of bundle filenames to SHA-1 hashes
- [ ] append output file to array of bundles, which when loaded sets a global variable that contains the filename:SHA-1 map

Constraints:

script containing hashes must be loaded as a separate script or inlined into the HTML on initial page load
server hosting signed bundles must support XHR requests for the loaded site

[1] http://www.movable-type.co.uk/scripts/sha1.html [2] https://developer.mozilla.org/en-US/Add-ons/Code_snippets/Rosetta, line 45 of code sample

baer commented 8 years ago

This is a killer feature for PCI compliance

divmain commented 8 years ago

That's actually what prompted this idea :)

divmain commented 8 years ago

Consider using SubtleCrypto for minimal impact to bundle size.

divmain commented 8 years ago

Moved to interlockjs/plugins#6.

interlockjs / interlock

interlock-signed #59