The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

Written by Troy Hunt - - Aggregated on Monday February 12, 2018
Tags: security, csp, sri

A couple of years back as the US presidential campaign was ramping up, the Trump camp did something stupid. I know, we're all shocked but bear with me because it's an important part of the narrative of this post. One of their developers embedded this code in the campaign's donation website:

<script src="" type="text/javascript></script>

See the problem? This tag was in the source code over at yet it was pulling script directly off Igor Escobar's GitHub repository for the project. Now, imagine if Igor took a dislike to Trump. Or someone else took issue with the bloke (hypothetically, of course) and made a pull request. What could you do if you could modify that script and subsequently cause your own arbitrary JavaScript to execute on Trump's website? Easy answer - almost anything. Modify the DOM, redirect the user, load in external content, challenge visitors to install software, add a key logger and grab any non-HTTP only cookies. This was actually a serious story back then but it was quickly rectified and we all moved on.

Until now. I woke up on the other side of the world to most people this morning and my Twitters had gone nuts overnight with this story: