Content providers typically employ the content distribution network (CDN), a collection of proxy servers distributed geographically, to accelerate downloads of files, images, streaming media, scripts, etc. As a website author, which of the following best addresses security concerns?
A. User analytics for behavioral targeting
B. Cookies for data tracking
C. Hashes for subresource Integrity
D. Scripts for cross-origin access

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Hashes for subresource Integrity.

CDNs are applied in various areas. Caching contents of a web site for availability and performance is one of the most common applications of CDN. Images and JavaScript are the most often cached objects in CDNs. However, JavaScript typically causes security issues.

JavaScript Security Concerns

A web author or developer may employ open-source, free JavaScripts available on public CDNs. For example, Bootstrap, jQuery, Angular, just name a few. Some of them can be planted with malicious or problematic scripts. The integrity of those JavaScript is a significant concern of security.

Tracking, Sending, Analyzing, and Marketing

A malicious JavaScript can be included as part of a web site and downloaded into the client-side or web browser. Cookies can be used to track user behavior; a JavaScript can send those data to a remote data collector, not the web site or origin it is downloaded. The data collector can analyze the data to get more valuable information or intelligence for marketing use.

SubResource Integrity (SRI) as Countermeasure

For example, the official jQuery web site advises the hash code of jQuery 3.5.1 is “9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=” if a web author decides to use the copy from a CDN, the hash code should be specified as follows:

<script
  src="https://code.jquery.com/jquery-3.5.1.min.js"
  integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0="
  crossorigin="anonymous">
</script>

Same-Origin and Cross-Origin

A JavaScript is download to the browser from a web site as the origin. It is the same-origin policy that prohibits the javaScript from connecting to other web sites except for the origin (the web site it is downloaded). The same-origin policy is respected and implemented by most of the mainstream browsers, e.g., Chrome, Edge, Firefox, Safari, etc.

However, JavaScript can use other techniques to bypass the same-origin policy to achieve cross-origin communication. That is, a malicious JavaScript from a web site can collect the user data and submit those data to other remote web sites. Cross-origin resource sharing (CORS) is a mechanism to do so.

Cross-border Transfer

Cross-border (PII transfer) is a concern different from cross-origin (JavaScript access). When it comes to personal data and compliance (e.g., GDPR), enterprises should be aware of the personal data is replicated to another country when implementing CDN.

Reference

• Content delivery network
• Subresource Integrity
• Same-origin policy
• Cross-origin resource sharing

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

內容提供商通常使用內容分發網絡（CDN），這是地理上分佈的代理服務器的集合，以加快文件，圖像，流媒體，腳本等的下載。作為網站作者，以下哪種方法可以最好地解決安全性問題？
A. 行為定位的用戶分析 (User analytics for behavioral targeting)
B. 用於數據跟踪的Cookies (Cookies for data tracking)
C. 子資源完整性哈希 (Hashes for subresource Integrity)
D. 跨域訪問腳本 (Scripts for cross-origin access)