Detect spoofing of JavaScript files

Question

Let's say I'm developing bunch of JS widgets that are intended to be embedded on any webpage (sort of iGoogle, Pageflakes widgets).

The client can embed the widgets by including a script tag:

<div id="widgetHost">
    <script src="http://fantasticwidgets.net/awesomeWidget.js"></script>
    <script src="http://fantasticwidgets.net/awesomeWidgetAgain.js"></script>
</div>

Now these widgets rely on common libraries (let's jQuery, underscore, and some of my own - e.g. myCommon.js).

Ideally, this is what should happen:

• Widget's bootstraper js is downloaded first
• Widget's bootstraper js checks for presence of these library files with their required version (say whether jQuery v1.6.2 is loaded on the page or not, myCommon v1.1 etc)
• If any of those is loaded, don't request those files, but download missing scripts only.
• These scripts then call some webservice, do some magic and render HTML on page

Concern: Checking for files already loaded introduces a vulnerability of script spoofing. A malicious user spoofs the libraries once loaded which he uses to steal sensitive info or do other bad things.

Solution: Do not check for loaded libs, send all of them again always. This is still not bulletproof but at least makes it a little harder as he has to spoof again. However, this causes wasted bandwidth and increased loading time.

Question: Is it possible to detect if the loaded files are tampered with, preferably on the client side? Or does it have to include a server side solution? I've ASP.Net running on the server side if that matters.

Answer 1

The only real solution here is "use HTTPS to deliver the scripts." If the bad guy can go so far as to poison the user's browser cache with HTTPS content from another domain, it's already game over for you, because he would also have power to change the page you deliver to the user.