stackoom
  简体   繁体   中英

Can we prevent tampering with an offline HTML page or PWA?

 原文  2022-12-21 21:03:42       html/ security/ cross-browser/ progressive-web-apps

Question

Consider a system where we want to send someone a plain HTML+JS file and when loaded in a browser, it "executes" itself. (The inspiration is Portable Secret , which password-protects secrets for a file that can be shared offline, for a very convenient user experience).

The system has lots of flaws. One of them is that the HTML file could be modified while it's sitting around on the operating system, to do anything - for instance, you could tamper with it so when the password is supplied, it sends its secrets over the network to the attacker.

Now, we don't have this problem with most apps these days because they are signed. If you tamper with them, when the OS launches the app, it will ( greatly simplifying ) hash its contents, and notice that it no longer matches the signature. The signature can't be faked for the usual public-key crypto reasons, blah blah.

So, the question, finally: is there any equivalent anti-tampering standard we can use for an HTML page, stored offline?

I thought that maybe there would be something in Progressive Web Apps, perhaps putting a signature in the manifest, but I don't see anything immediately relevant. The behavior can't be anything defined in the HTML+JS file itself, obviously; it must be something the browser does automatically to check the contents. It might be acceptable if it has to do a network request to do it.

1 answers

solution1
 0  2022-12-22 00:04:41

There are a few approaches you could take to try to prevent tampering of an HTML+JS file stored offline:

  • Sign the file: One approach you could take is to sign the file using a private key and then include the signature in the file. When the file is loaded in the browser, the browser could verify the signature using the corresponding public key. This would prevent tampering with the file because any changes to the file would invalidate the signature.

  • Use a Content Security Policy: You could use a Content Security Policy (CSP) to specify which sources are allowed to be used by the HTML+JS file. This would prevent tampering with the file by blocking any attempts to load external resources or execute malicious code.

  • Use a Service Worker: Another option is to use a Service Worker to cache the HTML+JS file and serve it from the cache. This would prevent tampering with the file because any changes to the file would not be reflected in the cached version served by the Service Worker.

Ultimately, it's important to note that there is no foolproof way to prevent tampering with an HTML+JS file stored offline. It's always possible for an attacker to modify the file, so it's essential to be aware of this risk and take steps to mitigate it as much as possible.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to prevent users from tampering HTML Form in the browser? How can I put link to offline html page? How can we add superscript in html page? multi pages PWA offline Loading Delay on offline html page Is there any way we can display HTML code inside of an HTML page How to make a PWA landing page different from the site landing page when offline? Prevent HTML Page Refresh How we can use the angularjs scope variables in the html which we are appending into the html page via controller? How can we implement Pagination using Javascript in simple HTML page
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM