A client of ours wants us to host a blob of Javascript for their custom-branded version of our website. It is hosted on a subdomain of our site (customer.example.com), but uses the same cookie domain as our primary site (example.com).
What are the security implications of doing this, should we agree?
I would say the implications are the same as any XSS vulnerability. What you are basically doing is allowing them to insert javascript of their choosing into your application without making them jump through the hoops of finding an XSS vulnerability.
Two big risks that come to mind are performing actions on behalf of the user without their ok and stealing session cookies if they aren't HTTP only.
If you do agree I would only do it on the condition that you will need to review and approve all javascript.
