In particular, this mostly refers to widgets that require you to add links to their JavaScript into your page using a
<script>
node. There are a few that work through iframes, and while there are still a few issues with that, the script nodes are the ones that can do you the most damage.Not be evil
For starters, we trust the third party to not be evil. We trust that the JavaScript they serve us will:- not try to steal the data our users give us through the website,
- not manipulate our page content in malicious ways,
- not track our user's actions in any ways that we haven't authorised them to do,
- probably more...
Not be careless
We're also trusting the widget provider to not be careless. We expect them to be diligent about the security of their own systems. If someone malicious were to break into a third party widget provider, they could then manipulate the JavaScript served out to our sites. Same problem as above, same repercussions, but slightly different entity responsible. It's possible for the widget owner in this case to claim that they were also the victim. That doesn't make it better for anyone, it just shifts the blame.Not be too trusting
We don't just trust the widget provider, but also their hosting provider and their DNS registrar. This is a sub-topic under the don't be careless part above, but there may be another entity involved here. Running a whois lookup on the widget provider's hostname will tell you who their DNS registrar is. Do you trust them to not get compromised and have DNS redirected? Does the widget provider use SSL to guarantee that the host you're connecting to is in fact a host they own? Can you trust SSL?Not go down
Let's face it... how many times have you had a twitter (or any other) widget on your page that showed nothing? Perhaps you're being rate limited, perhaps the service is down for maintenance, or something else. That huge blank space where your widget should be looks kinda bad. Not really a security issue, but it hurts your site's image.There's little doubt why large companies won't trust a third party's JavaScript on their own sites. In exceptional cases, they may contract with the third party to get the JavaScript onto their own servers where they can guarantee that it doesn't change, and can pull the plug quickly if something goes wrong.
What about you? Do you run a website that includes third party widget JavaScript on your site? Are you big or small? Would you keep this up when you became big?
1 comments :
I don't trust 3rd party content when it comes to performance. They can bring down your site in no-time, proper measurements/precautions should be put in place. I enjoyed reading Stoyan's presentation Social Button BFFs (http://www.slideshare.net/stoyan/social-button-bffs). It's important to know what they are capable of doing (SPOF) and if they are really needed in the context of your site. Unfortunately most people put them in blindly and posts like yours hopefully encourage people to think twice if all social widgets need to be included in their page.
Thanks for the though provoking post.
Barbara
Post a Comment