Fucory
@fucory
Did a PR to gnosis safe UI to add missing SRI protection https://github.com/safe-global/safe-wallet-monorepo/pull/5186/files For those not in loop SRI tells the browser to not load javascript files that don't match an integrity hash https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity All bundlers support this with plugins
2 replies
1 recast
17 reactions
polymutex
@polymutex.eth
Still seems not super useful so long as the top-level page itself isn't integrity-verifiable... Especially if all these bundles are served from the same server.
2 replies
0 recast
1 reaction
v1rtl
@v1rtl.eth
I think this is mostly useful for ensuring that third party scripts keep the integrity probably not as useful for local ones
1 reply
0 recast
0 reaction
Fucory
@fucory
It makes auditing the site super simple. If you ensure your root HTML is correct you can be confident all other assets will have integrity
1 reply
0 recast
0 reaction
v1rtl
@v1rtl.eth
can't imagine a scenario where local JS scripts are compromised and HTML is left untouched usually the whole front-end is compromised
1 reply
0 recast
0 reaction
Fucory
@fucory
I can. It can happen if the app is a PWA that doesn't have autoupdates on and you haven't downloaded an asset yet.
1 reply
0 recast
1 reaction
Fucory
@fucory
https://x.com/FUCORY/status/1896783501120405997
1 reply
0 recast
1 reaction
Fucory
@fucory
Also protects against some MITM attacks or a specific cdn being compromised. But you are right. You want to layer on top of this trusted signers or even better, the entrypoint being onchain via something like Tevm Module Federation If you don't know what Tevm module federation is that's expected since it doesn't exist yet but I designed it years ago. Most recently tried to get Farcaster frames and Worldcoin miniapps to use it Tevm.app will be using it
1 reply
0 recast
2 reactions
