Ask HN: How do you make sure js from a CDN or a CMS hasn't changed? - swlkr
======
swlkr
After seeing the magecart attacks at BA and Newegg I decided to try and build
a solution: [https://magehash.com](https://magehash.com), unsure if it's
useful yet, what do you think?

I'm thinking about integrating it in existing CI/CD workflows, to avoid false
positives too

------
arayh
Not sure if this is what you're looking for, but subresource integrity
perhaps?

[https://hacks.mozilla.org/2015/09/subresource-integrity-
in-f...](https://hacks.mozilla.org/2015/09/subresource-integrity-in-
firefox-43/)

~~~
swlkr
I did see subresource integrity, but I was also curious about last month's
string of high profile magecart vulnerabilities, would subresource have saved
them there, or is there more to it?

~~~
brightfire
SRI won't protect you from:

* Someone injecting malicious JS code into your checkout page

* Non-static JS includes like Google Analytics

But it works well for static assets like jQuery or other static JS resources.

~~~
0xferruccio
I was working with OP on a static asset integrity tool and testing I found out
google analytics and facebook change their code multiple times a day!

~~~
brightfire
It's been interesting working with teams that have well-defined release
management workflows and continuous integration with snapshotted npm/mvn
dependencies, but still allow a third party like GA to inject JS that skips
the QA queue.

Likewise with CloudFlare: Allowing a third party to proxy all your traffic is
a huge liability. CloudBleed should have been a wake-up call, but it doesn't
seem to have had much effect.

