Tag: Web standards

Introducing “Subresource Integrity (SRI) Manager” for WordPress

Subresource Integrity (SRI) is a proposed W3C standard that Web developers can make use of to protect their websites from being used in JavaScript-based DDoS attacks, such as the one recently suffered by GitHub.com. It’s not yet widely supported by browsers but is harmless to add to your pages for browsers that don’t support it.

Using SRI declarations is a simple matter of adding an integrity attribute to the HTML tag that points to an external resource (like a <script> tag) that contains a hash specifier (like sha256) and the proper hash of the content you expect to load. This indicates to the browser that the resource to which the element points should have the given hash. If the content that the browser receives from the remote server does not produce the specified hash, the browser ignores (refuses to load) the resource, and fires an error event at the element, instead:

<script src="//example.com/example-library.js" integrity="sha256-ab3c54ef..998756"></script>

I wanted to make use of this immediately, but I didn’t want to manually hash all the libraries that my website calls to. These include stylesheets from content distribution networks like Bootstrap and JavaScript libraries such as jQuery DataTables. So I wrote a WordPress plugin that keeps track of the hashes for me.

With the Subresource Integrity (SRI) Manager plugin for WordPress (WP-SRI), each time a stylesheet or JavaScript is enqueued by a WordPress plugin or theme (using wp_enqueue_style() or wp_enqueue_script()), WP-SRI makes a note of the requested resource URL and adds it to a list of known resources. If WP-SRI has not seen the resource before, it grabs the resource content itself, produces a hash, and saves that alongside the resource URL in WordPress’s wp_options table. When HTML is printed to the screen, it adds the integrity attribute and the associated hash automatically.

Using this plugin can dramatically reduce the likelihood that visitors to your site will be strong-armed into participating in an HTTP DDoS attack. In future versions of this plugin, I also hope to provide an easy-to-use interface for site administrators so that they can maintain a customized list of resource hashes, and to trigger on-demand integrity checks of these resources.

Please submit feature requests and/or patches to the issue tracker on GitHub, and post support requests to the WordPress plugin support forum. Thanks. :)