1. 29
  1.  

  2. 8

    I like that his site has 3rd party resources loading.

    1. 5

      If you’re including script from another origin, you must absolutely trust them, and their security.

      Perhaps the author trusts the 3rd parties?

      1. 3

        I think people loading the site should be the ones deciding who to trust.

        1. 5

          That’s fine, but unrelated. @peter is saying that it’s not ironic that the author is using third party assets, since the author is not saying “don’t use third party assets” but rather “be careful when using third party assets”.

          Regarding your statement though, why should the user be the one deciding who to trust? How would that even work? Would you get a dialog every time you navigate to a web page showing the third party scripts the site uses and letting you opt out of them? Are you going to expect every web user to audit each line of code? How would this work for images?

          Maybe we should just have browsers show you the source code and then you can decide if you want to render it or not?

          I think browsers and web servers currently do a pretty good job of managing this without putting the user through undue frustration.

          1. 6

            why should the user be the one deciding who to trust? How would that even work?

            The code is running on their CPU. The decision should always be up to them (and it is, but most users don’t know that going to site A will also include things from external-site B, C, D and E - all of which can now track your activities / location and likely other things that will make ad companies mouths water.).

            Would you get a dialog every time you navigate to a web page showing the third party scripts the site uses and letting you opt out of them?

            This is essentially what I do with uMatrix. Workflow is basically:

            • 1st party css / js / cookies are allowed.
            • 3rd party css / js / cookies are blocked.
            • If site functionality is broken:
              • Enable individual resources until functionality is achieved.
              • Use that site less / find alternatives.

            Obviously I don’t expect everyone to do this.

            1. 2

              Why do you trust first party assets? How do you know they’re first party? The developers may be hosting third party assets themselves.

              1. 4

                How do you know they’re first party?

                They come from the domain (or subdomain) I am connecting to. And yes, likely they are 3rd party assets.

                People keep thinking it’s existence of 3rd party assets I am worried about.. It’s not the fact that they are 3rd party that worries me. It’s the meta information sent to 3rd parties hosting the resources and that the added infrastructure / complexity opens the door for malicious 3rd party resources.

                Why do you trust first party assets?

                If all the resources come from the domain I am connecting to, that is 1 system that could be compromised. If the resources come from 100 different locations, that’s 100 systems that can be compromised.

          2. 3

            What do you mean? From a user’s perspective what’s the difference between trusting what third party Jake Archibald hosts on jakearchibald.com and what third party content he trusts enough to load off a different origin?

            1. 3

              The difference is the number of parties with access to data that relates to the end users. I don’t think that CDN’s offer their services for free because they are altruistic!

              1. 3

                First of all, CDNs don’t offer their services for free. Some of them offer introductory plans to lower the barrier to customer acquisition. This is like Blue Apron offering your first meal for free to get you to try them out without risk. They’re betting that the product they offer is compelling.

                The number of parties with access to data has very little to do with where the user’s initial HTTP connection terminates. If I run a server there’s little difference for me linking to a third party resource vs proxying a request to it.

                1. 2

                  First of all, CDNs don’t offer their services for free.

                  Thanks for the correction. Google’s is entirely free. That aside, the point still stands, end-user data is being gathered regardless of the CDN tier the host (person running the site being visited) picked.

                  If I run a server there’s little difference for me linking to a third party resource vs proxying a request to it.

                  The difference is the source of the request, from one it’s your web server, the other it’s my IP address. This likely makes 0 difference to the person running a blog.. but as a reader of your blog, I will automatically assume that you have 0 interest in the privacy of your readers.

      2. 2

        Scriptless attacks, first formalized in 2012 by Heiderich et al.: https://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf