2.0.0 • Published 8 years ago

secdn v2.0.0

Weekly downloads
9
License
MIT
Repository
github
Last release
8 years ago

SSL + CDN + Javascript

SSL is a contract to your users that the information they provide you will not be accessible to anyone else.

If you are including active content (javascript libraries, html fragments), simply prepending "https://" to make the security errors go away still breaks that contract - as the CDN is now able to inject any code of its choosing onto your webpage.

If you still want the performance benefits of CDN, this 1.5kb tool will close the security gap by using CORS to retrieve resources from supporting CDNs (e.g. cdnjs.com) and validating the contents of any resource against a known sha256 hash before allowing it to execute on the page.

Thanks to Ryan Grove for the inspiration

Installation

npm install secdn

Examples

/*
 Compute the sha256 hash of any string (after using escape() as tiny-sha256 
 only supports ASCII)
*/
console.log(secdn.hash('var myFavouriteUnicodeChar = "ǂ"'));

/*
 Download a trusted resource (local script or a CORS-enabled CDN) and compute 
 the hash signature that will be used later to verify it
*/
secdn.sign('https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js', 
	function(err, hash) {
		console.log(hash);
	}
);
	
/*
 Download a resource from any **untrusted** CORS-enabled CDN - will throw an 
 exception if it has been tampered with
*/
secdn.retrieve('http://cdnjs.cloudflare.com/ajax/libs/6px/1.0.3/6px.min.js', 
	'74474faf45300360dabfa130cf788d6bc17b91bb51c44d608c92761ca8c9bfe7', 
	function(err, content) {
		if (err) {
			//handle err
		} else {
			//do something with this resource
		}
	}
);

/*
 A wrapper for secdn.retrieve that will include the content as a script in 
 the document head
*/
secdn.include('http://cdnjs.cloudflare.com/ajax/libs/6px/1.0.3/6px.min.js', 
	'74474faf45300360dabfa130cf788d6bc17b91bb51c44d608c92761ca8c9bfe7',
	function(err) { 
		if (err) {
			//handle err
		} else {
			//code to run when script is loaded
		}
	}
);
	
/*
 A wrapper for secdn.retrieve that will replace the current page's entire 
 HTML with the supplied content
*/
secdn.page('http://cdnjs.cloudflare.com/ajax/libs/6px/1.0.3/6px.min.js', 
	'74474faf45300360dabfa130cf788d6bc17b91bb51c44d608c92761ca8c9bfe7',
	function(err) { 
		if (err) {
			//handle err
		} else {
			//code to run when content is loaded
		}
	}
);

License

MIT

cdnshasha256hashcors
tiny-sha256
@infinitebrahmanuniverse/nolb-sec@everything-registry/sub-chunk-2725
2.0.0

8 years ago

1.0.3

9 years ago

1.0.2

9 years ago

1.0.1

9 years ago

1.0.0

9 years ago