ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
During an architectural review of a single-page Rich Internet Application (RIA), the team plans to let third-party JavaScript widgets be downloaded at runtime to extend functionality in users' browsers. The security architect fears remote code execution if a widget contains malicious statements. Which design decision best limits the impact of such an attack?
Digitally sign each widget and verify the signature in the browser before loading it.
Host the widgets on a separate sub-domain and enforce a restrictive Content Security Policy that blocks inline scripts and limits script-src to that domain.
Obfuscate all widget JavaScript so attackers cannot easily read or modify the code.
Compress the widget files with GZip and deliver them exclusively over HTTPS connections.
Running untrusted or third-party JavaScript in the browser can open the door to cross-site scripting-based remote code execution. Hosting the widgets on a separate origin (for example, a dedicated sub-domain) and coupling this with a strict Content Security Policy (CSP) that blocks inline scripts and restricts the script-src directive confines what the code may load or execute. Even if a widget is malicious, the browser will refuse to execute disallowed script sources or make network calls outside the policy, effectively containing the damage. Code signing (digital signatures) confirms origin but does not prevent intentionally harmful logic from running once verified. Obfuscation only hides source code and offers no runtime protection. Compressing or serving code over HTTPS protects data in transit but has no bearing on what the script can execute once delivered. Therefore, isolating the widgets under a restrictive CSP is the most effective architectural mitigation against client-side remote code execution in this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Content Security Policy (CSP)?
Open an interactive chat with Bash
Why is hosting widgets on a separate sub-domain safer?
Open an interactive chat with Bash
Can digital signatures fully prevent malicious widgets?
Open an interactive chat with Bash
What is a Content Security Policy (CSP)?
Open an interactive chat with Bash
Why is hosting widgets on a sub-domain effective?
Open an interactive chat with Bash
Why doesn’t code obfuscation or signing prevent malicious widget execution?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Secure Software Architecture and Design
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .