Subresource integrity for DASHJS and HLS CDN files?

[bmueller-sykes]

This article is making some waves on the inter webs:
https://shkspr.mobi/blog/2018/11/major-sites-running-unauthenticated-javascript-on-their-payment-pages/

...which is all about this:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

I searched my react project, and only react-player came back with CDN references (well, to be fair, it's the only one I've found thus far). They are for DashJS and HLS. Both seem like relative edge cases, which is why (I imagine) you refer to them via CDN rather than including them in react-player (since the latter approach would lead to a bigger bundle).

So the question: is react-player at any sort of risk here? If so, what can/should be done?

Thanks!

[cookpete]

There will always be an element of risk. Every player, not just Dash and HLS, needs to load external scripts to initialise SDKs and load players/iframes/etc. Not from cdnjs, granted, but the same potential risks exist all the same.

The good news for Dash and HLS is that CDNJS provides the integrity hashes for us, and the loadScript library that ReactPlayer uses lets us add it as an attribute to the <script> it generates. So that would solve the problem for the CDNJS SDKs.

The bad news is that other libraries, like YouTube and Vimeo, have SDK URLs like https://www.youtube.com/iframe_api that could change over time, so integrity can't be used for those.