hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 08:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'aegilops/polyfill-io-compromised-script' of https://github.com/aegilops/codeql into aegilops/polyfill-io-compromised-script

Browse Source
This commit is contained in:
aegilops
2024-07-12 12:49:18 +01:00
parent 00d91dc6ba 3f37fe6add
commit 61df4d2f04
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.qhelp
View File

@@ -48,12 +48,12 @@
</p>
<p>
To help mitigate future risk of including a script that could be compromised, consider whether you need to
use a polyfill or other library at all. Modern browsers do not require a polyfill, and other popular libraries are redundant after enhancements to HTML 5.
To help mitigate the risk of including a script that could be compromised in the future, consider whether you need to
use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.
</p>
<p>
If you do need a polyfill service or library, move to using a trusted CDN.
If you do need a polyfill service or library, move to using a CDN that you trust.
</p>
<p>
@@ -63,7 +63,7 @@
A dynamic service cannot be easily used with SRI. Nevertheless,
it is possible to list multiple acceptable SHA hashes in the <code>integrity</code> attribute,
such as those for the content generated for major browers used by your users.
such as hashes for the content required for the major browsers used by your users.
</p>
<p>
@@ -85,7 +85,7 @@
<sample src="polyfill-trusted.html" />
<p>
If you can investigate the most used browsers by your users, you can list the hashes of the polyfills for those browsers:
If you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:
</p>
<sample src="polyfill-sri.html" />

2
javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Untrusted domain used in script or other content
* @description Use of a script or other content from an untrusted or compromised domain
* @description Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code.
* @kind problem
* @security-severity 7.2
* @problem.severity error