- Existing codebase refactoring
- 3rd party standalone component
- 3rd party "Сheck for policy" component
- Etherisc API server
- Etherisc examples
v0.2 3rd party component with two-steps integration and binding to external input field for premium (28 hours)
- Two-steps integration 3rd party component
- Implement 3rd party with binding to external input field for premium
- Additional UI components
- Risk to lose control over changes to the application performed by 3rd party javascript. Advisory: use in-house script mirroring, sub-resource integrity (see below).
- Execution of unknown code, so this grants the 3rd party the same privileges that were granted to the client. Advisory: to be secure the host company must review the code for any vulnerabilities like XSS or malicious actions such as sending sensitive data from the DOM, use in-house script mirroring, sub-resource integrity, sandboxing (see below).
- Leakage of sensitive information to 3rd parties. The request includes all regular HTTP headers and 3rd party can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. Advisory: review the code, etherisc SDK doesn’t send credentials and sensitive information with its cross-origin requests.
Generate integrity metadata for the etherisc-SDK and add it to the script element like this:
<script src="https://path-to-etherisc-skd.js"
integrity="sha384-MBO5IDfYaE6c6Aao94oZrIOiC7CGiSNE64QUbHNPhzk8Xhm0djE6QqTpL0HzTUxk"
crossorigin="anonymous"></script>
Put etherisc SDK into an iframe like this:
<html>
<head></head>
<body>
...
<!-- Iframe with etherisc SDK script -->
<iframe src="https://domain/etherisc-sdk-page.html" sandbox="allow-same-origin allow-scripts"></iframe>
</body>
</html>