jso-protector/runtime/third-party-inventory is the browser sensor. jso-protector/runtime/managed-integrity is the policy and incident control plane. The account dashboard now persists and versions policies at /dashboard/web-integrity.aspx, while the public ETag-enabled policy endpoint lets the browser sensor enforce them without exposing account credentials. Apply App_Data/CreateWebIntegrityTables.sql before enabling it.
Block unknown dynamic scripts
const inventory = require("jso-protector/runtime/third-party-inventory");
inventory.attach(window, {
originAllowlist: ["https://js.stripe.com", "https://cdn.example.com"],
inlineContentAllowlist: ["sha256-hex"],
enforcementMode: "block",
beaconUrl: "/v1/runtime/beacon.ashx",
onBlocked(decision) { lockCheckout(decision); }
});
Block mode neutralizes a dynamically-created script before its src is assigned when the origin is unknown or the script is injected after page load. Pre-existing parser-inserted scripts still require CSP and SRI for deterministic pre-execution blocking.
The dashboard can publish durable versioned policies. Load one directly with attachFromPolicy(window, { policyUrl: "/v1/runtime/integrity-policy.ashx?id=..." }); public responses use an ETag and five-minute cache window while containing no account credentials or secrets.
Fence protected data at browser egress
const dataGuard = require("jso-protector/runtime/data-exfiltration-guard");
dataGuard.attach(window, {
id: "checkout-egress", version: "1", mode: "block",
allowedOrigins: [location.origin, "https://api.stripe.com"],
protectedFieldNames: ["accountNumber"]
});
The guard watches fetch, XHR, sendBeacon, WebSocket sends, and programmatic form submission. Built-in selectors cover password and payment autocomplete fields; add application-specific selectors or field names explicitly. It blocks only when protected data is sent to an unapproved destination. Incident snapshots retain destination origin, field names, counts, transport, and action, but never field values or request bodies.
This is a defense-in-depth browser control, not a substitute for CSP, SRI, server-side tokenization, or a managed SOC. It cannot reliably identify the originating script for every JavaScript call, and already-encoded or encrypted payloads may evade value matching. Start in monitor mode, review destinations, then enable block.
Version and operate policy
const managed = require("jso-protector/runtime/managed-integrity");
const policy = managed.createManagedIntegrityPolicy({
id: "checkout", version: "2026-07-13.1", mode: "block",
allowedOrigins: ["https://js.stripe.com"],
expectedContentBySrc: approvedHashes
});
const decision = managed.evaluateSnapshot(policy, inventorySnapshot);
const operations = managed.createIntegrityOperations();
operations.ingest(decision);
The operations layer fingerprints repeated violations, increments occurrence counts, supports open/reviewing/resolved/ignored transitions, records assignee and resolution data, and exports portable JSON for retention or SIEM handoff.
Operational boundary
The hosted product stores policies and receives runtime incidents; customers can also run the package control plane in their own worker or collector. A managed monitoring contract, 24/7 analyst response, regulatory attestation, and incident-response ownership remain service and organizational commitments rather than properties software can create.