1. 2
  1.  

  2. 2

    Good god, this still seems absolutely insane to me.

    Would you blindly run a binary served automatically from any of these vendors on your production web server? No? Then don’t inject their code into your webpage! (or at least, not without a checksum)

    1. 1

      This is an important point – when adding a 3rd party to your site it’s critical to evaluate the quality of their service, they could severely harm your site.

      Ultimately the control does lay with the site owner though – once you’ve identified problems, you can remove a tag, generally with minimal effort.

      1. 1

        You can remove the tag, but said tag may have done irreparable damage: what if it steals user sessions or clicks certain buttons (such as delete) when logged in? it could destroy user data.

        1. 1

          You’re absolutely right - as part of reviewing you should be checking the tag is from a legitimate trustworthy company.

          My personal opinion is that it’s highly unlikely a commercial company would do something so malicious as to delete data on purpose.

          Of course it could happen by accident, but other than avoiding all 3rd party scripts, which is inherently impractical for most significantly-sized sites, there is nothing you can do to avoid that.

          1. 1

            Best method I’ve seen is to use scripts from vendors who won’t change them suddenly, then you can make use of subresource integrity.

            I’m not too worried about companies acting maliciously; they already make their money by gathering user data. I’m more worried about someone attacking the server and causing malicious scripts to be sent.