Tuesday, August 29, 2017

[cauwyegu] Who vets third-party Javascript?

A website relies on Javascript provided by a third party.  Who evaluates that code to check that it is secure and functions properly?

Ideally the website operator does, but they actually cannot see what code the third party provides to the user's browser at the moment the client visits the site.

In principle, the user can and should examine the code before running it, though this seems difficult and annoying.

The website could refer to the third-party code not by URL but by content hash, thereby suggesting to the user that they have examined at least that version of the third-party code.  This encourages the development of robust content distribution networks based on content hash.

Considerably more sophisticatedly, the website could refer to the third-party code by a formal specification of what the third-party code is supposed to do.  The third party provides some code and the user's computer automatically verifies that the code obeys the specification.

No comments :