Subresource Integrity is a fairly new security scheme for protecting against malicious script obtained from third-party source (CDNs). It requires that the script tag include a hash of the script content so the browser can verify that it has not been altered. Telerik controls generate a bunch of script tags for cloudfront.net. It would be swell if the script tags would include the extra attributes necessary to implement subresource integrity. Is this in the roadmap? Mozilla provides a security analysis tool which highlights this issue. Look at the results for telerik.com here -> https://observatory.mozilla.org/analyze/www.telerik.com. More info available on https://infosec.mozilla.org/guidelines/web_security#subresource-integrity https://www.w3.org/TR/SRI/
I concur with Dan Ehrmann getting failing PCI scan if using CDN.
Title: Script Src Integrity Check
Synopsis: Report external script resources not using integrity.
Impact: The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially untrusted and unverified third parties script src. If the host is controlled by a 3rd party, ensure that the 3rd party is PCI DSS compliant.
I am certain you guys could have your controls produce hash values which would save allot of users from having to either make exceptions and or concessions.
Thanks John
So far this is the first time that this is requested in a decade since we offer a CDN, however, so, for the time being, I can suggest you use a custom CDN on your own server: https://docs.telerik.com/devtools/aspnet-ajax/controls/scriptmanager/cdn-support/custom-cdn-provider. This should let the scan realize the resources are coming from your own domain and thus, not require the hash. The caching benefits are almost the same as with a cloud CDN. Of course, if you have users all over the globe, there will be a little more of a difference.
Regards,
Marin Bratanov
- All
- Completed (3068)
- Declined (900)
- Duplicated (28)
- Need More Info (8)
- Pending Review (2)
- Planned (9)
- Under Review (1)
- Unplanned (987)
- Won't Fix (272)
- All
- UI for ASP.NET AJAX
- Ajax
- AjaxPanel
- AsyncUpload
- AutoCompleteBox
- Barcode
- BinaryImage
- Breadcrumb
- Button
- Calendar
- Captcha
- Card
- Chat
- CheckBox
- ClientDataSource
- ClientExportManager
- CloudUpload
- ColorPicker
- ComboBox
- Compression
- DataForm
- DataPager
- DateInput
- DatePicker
- DateRangePicker
- DateTimePicker
- DeviceDetectionFramework
- Diagram
- Dock
- DragDropManager
- Drawer
- DropDownList
- DropDownTree
- Editor
- FileExplorer
- Filter
- FloatingActionButton
- FormDecorator
- Gantt
- Gauge
- Grid
- HtmlChart
- ImageButton
- ImageEditor
- ImageGallery
- Input
- InputManager
- Installer and VS Extensions
- Label
- LightBox
- LinkButton
- ListBox
- ListView
- Map
- MaskedTextBox
- MediaPlayer
- Menu
- MonthYearPicker
- MultiColumnComboBox
- MultiSelect
- Navigation
- Notification
- NuGet feed
- NumericTextBox
- ODataDataSource
- OrgChart
- PageLayout
- PanelBar
- PdfViewer
- PersistenceFramework
- PivotGrid
- ProgressArea
- ProgressBar
- PushButton
- RadAjaxLoadingPanel
- Rating
- RibbonBar
- Rotator
- Scheduler
- ScriptManager
- SearchBox
- Signature
- SiteMap
- SkinManager
- Slider
- SocialShare
- Spell
- SplitButton
- Splitter
- Spreadsheet
- Stepper
- StyleSheetManager
- Switch
- TabStrip
- TagCloud
- Theme Builder
- Ticker
- TileList
- TimeLine
- TimePicker
- ToggleButton
- ToolBar
- ToolTip
- TreeList
- TreeMap
- TreeView
- Visual Style Builder
- Window
- Wizard
- XmlHttpPanel