Approved
Last Updated: 07 Oct 2019 18:35 by John
ADMIN
Rumen
Created on: 13 Dec 2018 16:45
Category: ScriptManager
Type: Feature Request
3
Subresource Integrity (CDN)
Subresource Integrity is a fairly new security scheme for protecting against malicious script obtained from third-party source (CDNs). It requires that the script tag include a hash of the script content so the browser can verify that it has not been altered.

Telerik controls generate a bunch of script tags for cloudfront.net. It would be swell if the script tags would include the extra attributes necessary to implement subresource integrity. Is this in the roadmap? 

Mozilla provides a security analysis tool which highlights this issue. Look at the results for telerik.com here -> https://observatory.mozilla.org/analyze/www.telerik.com. 

More info available on 
https://infosec.mozilla.org/guidelines/web_security#subresource-integrity
https://www.w3.org/TR/SRI/
3 comments
John
Posted on: 07 Oct 2019 18:35

I concur with Dan Ehrmann getting failing PCI scan if using CDN.

Title: Script Src Integrity Check

Synopsis: Report external script resources not using integrity.

Impact: The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially untrusted and unverified third parties script src. If the host is controlled by a 3rd party, ensure that the 3rd party is PCI DSS compliant.

I am certain you guys could have your controls produce hash values which would save allot of users from having to either make exceptions and or concessions.

Thanks John

ADMIN
Marin Bratanov
Posted on: 02 Jan 2019 17:31
Thank you for your feedback, Dan. We will definitely keep this in mind. If this becomes commonly requested and popular, we will consider it for sure.

So far this is the first time that this is requested in a decade since we offer a CDN, however, so, for the time being, I can suggest you use a custom CDN on your own server: https://docs.telerik.com/devtools/aspnet-ajax/controls/scriptmanager/cdn-support/custom-cdn-provider. This should let the scan realize the resources are coming from your own domain and thus, not require the hash. The caching benefits are almost the same as with a cloud CDN. Of course, if you have users all over the globe, there will be a little more of a difference.

Regards,
Marin Bratanov

Dan Ehrmann
Posted on: 02 Jan 2019 16:48
FYI - our most recent PCI compliance scan flagged this as a fatal error. To resolve it, we have disabled the CDN on the ScriptManager. I think you will have a lot of customers faced with this problem in the near future.