Modern single page web applications require client-side executions of application logic, including critical functionality such as client-side cryptography. Existing mechanisms such as TLS and Subresource Integrity secure the communication and provide external resource integrity. However, the browser is unaware of modifications to the client-side application as provided by the server and the user remains vulnerable against malicious modifications carried out on the server side. Our solution makes such modifications transparent and empowers the browser to validate the integrity of a web application based on a publicly verifiable log. Our Web Application Integrity Transparency (WAIT) approach requires (1) an extension for browsers for local integrity validations, (2) a custom HTTP header for web servers that host the application, and (3) public log servers that serve the verifiable logs. With WAIT, the browser can disallow the execution of undisclosed application changes. Also, web application providers cannot dispute their authorship for published modifications anymore. Although our approach cannot prevent every conceivable attack on client-side web application integrity, it introduces a novel sense of transparency for users and an increased level of accountability for application providers particularly effective against targeted insider attacks.

翻译：现有TLS和次级资源完整性等机制确保通信的安全,并提供外部资源完整性。然而,浏览器不知道服务器提供的客户端应用程序的修改情况,用户仍然容易受到服务器方面进行的恶意修改的影响。我们的解决方案使这种修改具有透明度,并授权浏览器根据可公开核查的日志验证网络应用程序的完整性。我们的网络应用程序完整性透明化(WAIT)方法要求(1) 扩展地方完整性验证浏览器的浏览器,(2) 为应用程序托管的网络服务器定制 HTTP 信头,(3) 为可核实的日志服务的公共日志服务器。与STRAW一起,浏览器可以禁止执行未披露应用程序的更改。此外,网络应用程序提供商无法就已公布的修改对其作者提出争议。虽然我们的方法无法防止对客户端应用程序完整性的每一次可想象攻击,但它为用户注入了新的透明度感,提高了应用程序提供者对目标内线攻击的问责程度。