Implement SRI attributes for injected JavaScript & Styles
The Optimizely PAAS CMS platform has multiple touchpoints where scripts are injected into the frontend UI. Examples include Optimizely Forms, Content Recommendations, Search & Navigation etc.
When these scripts are injected into the UI, they are not added with a Sub-resource Integrity attribute. An SRI check allows us to instruct the browser that it should not load a tampered version of a JS or CSS file and can protect users from man in the middle attacks. You can read more about SRI here: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
This is a commonly reported issue in penetration tests and clients are becoming increasingly more security conscious and request that we make sure SRI attributes are in place. While we can add SRI checks for JS and CSS files that we generate, the files injected by Optimizely lack these attributes. We are left explaining to the customer that we do not control these scripts and styles
Our desired output would be that scripts and styles rendered by Optimizely code include an SRI attribute.
Mark Stott
shared this idea