14 DAY TRIAL // GitHub has announced it implemented a new World Wide Web Consortium (W3C) specification that would allow it to avoid cross-site scripting (XSS) attacks carried out via its or another Content Deliver Network (CDN).
CDNs are special servers that have been optimized, hardware- and software-wise, to deliver static assets at extremely fast speeds. Static assets are HTML, JS, CSS, and image files used by browsers to put Web pages together.
Subresource Integrity (SRI) is a W3C standard, still under development, created to bolster the security of static assets delivered through CDNs, targeting specifically CSS and JS files.
This new SRI W3C specification works "by comparing the content with a cryptograhic digest that is contained within the surrounding HTML tag," as Frederik Braun, one of SRI's co-creators, explains.
W3C specifically created Subresource Integrity to protect CDN services
While no security incident has ever been recorded at large CDN services, if this ever happened, attackers could compromise tens or hundreds of thousands of websites relying on them to deliver static assets.
Such a scenario would be ideal for hackers wanting to carry out XSS attacks, mainly because most XSS mitigation services don't take into account CDN protections.
By modifying their site's source code, GitHub's staff have taken the first steps in protecting their service and its users from such attacks ever being successful.
The only browser that currently supports Subresource Integrity is Google Chrome (45+). Mozilla and Microsoft plan to add this feature to Firefox and Edge.
Developers looking to implement SRI for their own websites can use the SRI Hash Generator to get started.