Provide guidance on how to load third party scripts safely

[umar-ahmed]

What content are you looking to add?

I want to add a new page on the Frontend Web Application framework to explain how to safely load third-party scripts. In particular, I'd like to highlight some of the tools like Content Security Policy (CSP) and Sub-resource Integrity (SRI) that you can use.

Why do you think it is important?

Supply chain attacks have become increasingly common against dapp frontends. At least two attacks, 1) Ledger ConnectKit, and 2) 1inch dapp, could at least partially have been mitigated by stricter usage of CSP and SRI.

Can you cite resources where to base the content from?

• https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
• https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/
• https://httptoolkit.com/blog/public-cdn-risks/
• https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html
• https://palant.info/2014/06/30/please-don-t-use-externally-hosted-javascript-libraries/

Attacks

• https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/
• https://www.wiz.io/blog/lottie-player-supply-chain-attack
• https://www.ledger.com/blog/security-incident-report