My notes on "If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately"

My notes on If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately

This is a hack that we're seeing more and more in the recent years. A site includes script from another site that at some point turns into a malware.

The interesting thing here is that we have the technology to protect against this: SRI (Subresource Integrity) hashes and CSP (Content Security Policy).

An SRI hash is added to the script tag and the browser checks if the response matches the hash. For example, this is Bootstrap's recommended script tag:

<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js" integrity="sha384-YvpcrYf0tY3lHB60NNkmXc5s9fDVZLESaAA55NDzOxhy9GkcIdslK1eN7N6jIeHz" crossorigin="anonymous"></script>

This way, the hosting site can not change the contents as that would invalidate the hash. Of course, it won't save you from a malware that is already present when you add the script tag, but at least a site can't start serving malware in the future.

Why it's not used everywhere? Well, it has the usual problem with security: things work without it and in some cases (when the file is not immutable) it breaks the site so for developers it's safer to just omit it. Which means unless browsers start to flag sites that don't use SRI hashes (something that was quite successful with HTTP sites) I don't expect much improvement in the adoption here.