A web page often contains external resources such as images, Javascripts and other contents that are hosted by other domain or servers. These external objects might be considered useful at time of the web page creation but the page owner does not have control on how the external data is maintained. It is difficult to track external data changes.
In this prototype, we introduce a simple mechanism to check on fingerprints of external resources. The page author calculates the hash value of the data that he or she wants to link to in the html source. When the external data is later changed, the fingerprint checking will fail and the external resources will not be loaded into the hosting page.
For example, an external image link is usually coded as
<img src="http://external_site/img.gif" id="myimg" alt="My Image"/>In order to check on the integrity of the external data, the new tag for the above image is:
<hashedElement type="img" id="myimg" alt="My Image" src="http://external_site/img.gif" md5="479511244f5e1f0af70144a00441ff27"/>
The following elements are loaded using this new mechanism. You may view the Source of the page.
This works for Firefox only because we use data URL. It can be made to work for IE with the caveat that the external data may be loaded twice (note that the second loading is usually from the local browser cache).
The above image is loaded after we verified that the data hash is 479511244f5e1f0af70144a00441ff27.
Note that for IFrame, we only verify the integrity of the Iframe source. It does not check on the linked resources from the IFrame itself.
Of course, the script is not visible. But an external script has been loaded after the hash is verified. In the following link, a javascript function sayHello() is called. It is defined in the external javascript specified by the <hashedElement> tag.
Run Script