Outdated version of jQuery referenced

[Dulf]

Hey everybody,

IdentityServer references an old version of jQuery.
Is it common practice to keep Nuget packages updated yourself? Or should issues like this be reported.

[brockallen]

Does the older version has a vulnerability or is lacking some feature that's causing your issues?

[Dulf]

Not that I know of, but our security people tripped over this issue.

[brockallen]

What do you mean "tripped"?

[Dulf]

We have a separate team that does security audits of software that goes into production. This was in their report:
"The use of outdated client-side components increases the risk of exploitable vulnerabilities.
The outdated jQuery v1.11.0 library makes the application vulnerable to possible Cross Site
Scripting attacks that can be exploited. More information on the exploitation of the XSS vulnerability:
jquery/jquery#2432"

Hope this is enough?

Thank you.

[brockallen]

That's certainly a good point. Thanks for the info.

As for XSS prevention, we also do other things -- output encoding for one, and CSP for another. Just to help assuage any additional concerns.

[vtchalkov]

There is one more issue with jQuery 1.x - a CSP error is raised in Mozilla Firefox 52.0.2 and Microsoft Edge 38.14393.1066.0
It happens when default IdentityServer3 login page is opened in these browsers. The error is similar in both browsers:

• Edge: CSP14312: Resource violated directive 'script-src 'self' ...
• FF: Content Security Policy: The page’s settings blocked the loading of a resource at self ... Source: onfocusin attribute on DIV element.

Firefox is more specific on the error and there is a discussion on Firefox Bugzilla where they state that this is an issue in jQuery 1.x