The original post was published on my blog on July 18, 2023, long before I realized it might be interesting to the dev.to community.
Hello!
This is the third and final part of a series of posts (part #1, part #2) where I explain why comparing JavaScript and CSS files isn’t as simple as it may initially seem. Additionally, I’ll share how I tackled this problem for the Resources Tracker utility in Secutils.dev.
In the previous posts, I covered various challenges, including handling both inline and external resources, dealing with dynamically loaded and frequently changing resources, and comparing data and blob URLs. Today, I’d like to discuss the security-related challenges you should be mindful of if you’re planning to build a similar tool like the Resources Tracker utility.
Challenge #6: HTML onload and onerror attributes
Here comes a tricky thing! To ensure that our JavaScript and CSS resources remain untampered, merely tracking the URL they are loaded from and their content isn’t enough. We must also verify that the onload and onerror attributes of the