(Updated on

Stop Trusting Every JavaScript You Import

How one missing security feature in JavaScript can open the door to supply chain attacks — and what we’re doing about it.

🚨 The Hidden Threat in Modern JS

Every time you importScripts(), dynamically inject a <script> tag, or load a third-party library at runtime — you’re placing blind trust in external code.

We assume that a trusted CDN will never be compromised. That the file won’t change. That the developers behind it won’t introduce vulnerabilities or ship obfuscated payloads.

But history says otherwise:

  • In 2021, UAParser.js was hijacked to install malware.
  • CDN providers have served outdated or malicious files due to caching or compromise.
  • Even reputable packages have pushed unwanted telemetry or code changes.

JavaScript’s flexibility is a gift — and a curse.

🔐 What About Subresource Integrity (SRI)?

SRI is great. It allows browsers to verify that the fetched resource matches an expected cryptographic hash:

<script src="https://cdn.example.com/app.js" integrity="sha256-abc123=" crossorigin="anonymous"></script>

But here’s the catch:

  • It only works for HTML <script> and <link> tags.
  • It does not protect dynamic imports.
  • It cannot be used inside Web Workers with importScripts().

If you’re building browser extensions, sandboxed apps, or loading scripts dynamically — SRI is completely unavailable.

🛠️ Introducing: safejs

We built safejs to fix that.

It’s a tiny proxy that enforces integrity checks on runtime JavaScript imports using familiar SRI-style hashes.

🧪 Example:

If you have an for example: importScript('https://s-eu-1.pushpushgo.com/64f881ab3e4b49d26e7de8d3/worker.js') which is unsafe.

Now I can check integrity checksum like:

openssl dgst -sha384 -binary worker.js | openssl base64 -A

And have a results like:

lyb8w+B0BDCEm7NPF2c1ezvouIeJ5P+SNjdmB/UXBNAUSGx/nhKelnEGg30mnV1/

Than you can import that way:

importScripts("https://safejs.wdft.ovh/?url=https://s-eu-1.pushpushgo.com/64f881ab3e4b49d26e7de8d3/worker.js&integrity=sha384-lyb8w+B0BDCEm7NPF2c1ezvouIeJ5P+SNjdmB/UXBNAUSGx/nhKelnEGg30mnV1/");

when content of file was change - then file will responds script with console.error() line.

Under the hood, it:

  • Fetches the target script.
  • Verifies the SHA hash matches the expected one.
  • Returns the file only if it passes. Otherwise, returns a stub with a warning.

✅ Works With:

  • importScripts() in Web Workers
  • Dynamic <script> injection
  • eval() and custom script loaders

🚀 Why It Matters

JavaScript supply chain attacks are rising. Security-conscious teams need better primitives — not just hope and best practices.

safejs makes it effortless to:

  • Pin scripts to exact versions
  • Detect unauthorized code changes
  • Alert on mismatch (future feature!)
  • Deploy in your own infra, or via Cloudflare/Deno

📦 Get Started

Talk to us to test our public example proxy or read docs of safejs first.

🔨Build it from scratch:

You can see PoC at our initial code GitHub Gist and setup for your case and deploy via your Cloudflare Workers plan.

💡 The Bigger Picture

Security is no longer optional. If you’re serious about shipping secure JS apps — especially in regulated, embedded, or browser environments — then you need tools that give you verifiability.

Not just trust. Proof.