interlock-signed

[divmain]

Implement the interlock-signed plugin.

This plugin will ensure that bundles have not been tampered with, and allow for trusted use of third-party hosting for bundles (such as a public CDN). The general implementation will be as follows:

• add an additional provider with the following behavior:
  • on load: check for a global variable containing a map of bundle filenames to their SHA-1 hashes
  • on load: if global variable not found, notify the user with an alert() and set internal state such that any requests go to the next runtime bundle provider
  • on module request: if the module is not contained within a hashed bundle, fall back to the next runtime module provider
  • on module request: if module is contained within a hashed bundle, create an XHR request for the bundle in question, rather than a script tag
  • on request success: when XHR 200 response comes back, generate a SHA-1 hash of the bundle's raw text [1]
  • on request success: if the hash does not match, notify the user with an alert()
  • on request success: if the hash does match, create a new <script> tag with a src value of data:text/javascript,... [2]
• add transform to emitRawBundles step
  • generate SHA-1 hashes of bundle.raw values [1]
  • create map of bundle filenames to SHA-1 hashes
  • append output file to array of bundles, which when loaded sets a global variable that contains the filename:SHA-1 map

Constraints:

• script containing hashes must be loaded as a separate script or inlined into the HTML on initial page load
• server hosting signed bundles must support XHR requests for the loaded site

[1] http://www.movable-type.co.uk/scripts/sha1.html
[2] https://developer.mozilla.org/en-US/Add-ons/Code_snippets/Rosetta, line 45 of code sample

[baer]

This is a killer feature for PCI compliance

[divmain]

That's actually what prompted this idea :)

[divmain]

Consider using SubtleCrypto for minimal impact to bundle size.

[divmain]

Moved to interlockjs/plugins#6.