Originally created to help WhatsApp users verify the authenticity of WhatsApp code served to their browsers, Code Verify is a new open-source extension for Chrome, Edge, and Firefox to provide the same level of security for others. web services, says Meta.

We believe that with Code Verify, we are breaking into new territory with automatic third-party code verification, especially at this scale. We hope more services will use the open source version of Code Verify and make third-party verified web code the new normal.

Code Verify builds on the idea of ​​sub-resource integrity and takes it from the individual file level to the entire web page. Sub-resource integrity is a W3C recommendation that aims to ensure that content delivered to a browser has not been manipulated. It is important to understand that the use of secure channels, relying on TLS, HSTS or other mechanisms, mitigates this risk by ensuring that the server providing the content is indeed the one expected, but it does not protect against the possibility that the delivered content has been compromised directly on its legitimate source server.

Sub-resource integrity extends two HTML elements, script and linkwith a integrity attribute that passes a cryptographic hash of the expected resource, for example:

Code Verify requires that for each new version of a given resource, for example, WhatsApp libraries, its publisher shares the corresponding hash with a trusted third-party source. The Code Verify extension then retrieves this hash from a specific audit endpoint and compares it to the one it computes locally from the received resource. In the case of WhatsApp, Code Verify relies on CloudFlare to act as a trusted third-party source. The overall flow of information is shown in the image below.

(Image courtesy of Meta)

According to Meta, the extension does not log any data, metadata, or user data, and it does not share any information with WhatsApp or CloudFlare aside from the cryptographic hash.