1. 7
  1.  

  2. 4

    TL;DR - if you source a script on your page from another domain and it changes owners, they can execute whatever code they want on your domain.

    Seems like the best mitigation for this is to use subresource integrity: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

    That way, if the new owner serves a modified file, your page won’t execute it.

    1. 2

      This is indirectly a very nice counter to the argument that “we need all these engagement trackers and beacons and metrics or else we won’t make any money”. Obviously at least some of it isn’t critical.