8

I'm looking for some standard pieces of advice on how to integrate external JavaScript into a website. For example, on mywebsite.com:

<script src='//externalsite.com/js/script.js'></script>

The thing is: if externalsite.com gets hacked, mywebsite.com is at risk. And this JavaScript does not require access to the mywebsite.com content (it is for example a chatbox).

What would be the right way to do it? Is iFrame the way to go?

To clarify, the JS is a virtual assistant that "chats" with the visitor. The externalsite is managing the JS code, and more importantly the dialogs. I'm woried about XSS in the dialogs.

Choumarin
  • 181
  • 3
  • 2
    The most important question is **why** you need it to be external? Can you not host it locally? – Polynomial May 28 '13 at 16:08
  • If you must link to it, I suppose you could do a server-side integrity check of the remote file, and if its integrity isn't sound - load a local version. Of course, you have to keep track of authorized changes of the remote version.. – Henning Klevjer May 28 '13 at 18:35
  • @Polynomial Increasing speed and reducing costs. Of course you _can_ host it locally if you must... – Luc May 28 '13 at 19:44
  • 1
    @Polynomial popular websites should move static content to a CDN. Using a CDN for static content improves scalability of the application while reducing page load-times. – rook May 30 '13 at 01:37
  • Many answers already. However, this is not a CDN thing. To be more accurate, the JS is a virtual assistant that is developped by a third party. They managed their code (so no internal hosting possible). – Choumarin May 30 '13 at 12:23

2 Answers2

5

A chain is only as strong as its weakest link.

So make sure you trust your Content Delivery Network (CDN). I guarantee it is more difficult for a hacker to penetrate Google's servers than yours. Cloudflare is another example of a security minded CDN.

Mixed content and Insufficient Transport Layer Security can compromise accounts. Transmitting any page or script over plaintext can lead to a compromise. A secure source tag would be src=https://, nothing else should ever be permitted.

rook
  • 46,916
  • 10
  • 92
  • 181
4

The best way to approach this is to get a copy of the JavaScript from the 3rd party and then host it locally on your site. That way you don't run the risk of a compromise of the 3rd party affecting you directly (although it still could depending on what the JavaScript does I would think).

Failing that I think you'd be down to auditing/reviewing the security of the 3rd parties systems to ensure that the level of security there is the same or higher as the system which is making use of the JavaScript.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217