[vulnerability][integrity.js] Hacked Service Worker caches can intrude into the application

[t2ym]

[vulnerability][integrity.js] Hacked Service Worker caches can intrude into the application

Root Cause

Service Worker is relying on caches without verifying the cached contents

Fix

• Append integrity checking on Service Worker caches
• Dedicated Headers for cached Response objects
  • x-cache-timestamp: Date.now()
  • x-cache-digest: sha256-Base64(SHA256(response.body))
  • x-cache-random: Base64(Random(32))
  • x-cache-integrity: content-type,x-cache-timestamp,x-cache-digest,x-cache-random;hmac-sha256-Base64(HMAC(headers.join('\n') + '\n'))
• HMAC key

  ConnectSession.initialSecret = await HKDF.Extract(0, HKDF.concat(
    ConnectSession.initialRandom, // x-cache-random
    ConnectSession.ClientIntegrity.userAgentHash,
    ConnectSession.ClientIntegrity.browserHash,
    ConnectSession.ClientIntegrity.scriptsHash,
    ConnectSession.ClientIntegrity.htmlHash,
  ));
  ConnectSession.initialSalt = await HKDF.Expand_Label(CurrentSession.initialSecret, 'salt', '', HMAC.saltLength);

• Wrapped methods for tranparent operations
  • Cache.prototype.put()
  • Cache.prototype.match()
• On restarting Service Worker, ConnectSession.initialRandom is extracted from the header of the cache entry for integrity.json