Recently, we have seen the a targeted attack on polyfill[.]io. To anyone who has a bit of web security understanding, this has, unfortunately, not been that surprising and the industry has acted quite swiftly. And the probably is not polyfills (or the browsers that make them necessary), but the simple fact that it is quite dangerous to embed third-party JavaScript code. If you don’t fully trust the source of that code (for example by you being the source or the source being very reputable) just don’t do it.
The advantage gained is rather small, and the potential for misuse is gigantic. Risk and reward are not matching at all, and most likely there is a better version that doesn’t require the embedding of a resource from another server.
Third-party scripts a long time ago
In my mind, there are two third-party scripts that were very prevalent a long time ago. jQuery and Bootstrap. Especially, jQuery was used on pretty much any website[Citation needed]. And then the argument came up that using a shared CDN would be faster, since people were likely to already have jQuery from the CDN somewhere, and it could be cached. I think that argument was questionable at best, with modern tools such as HTTP/3, this should not be a problem anymore. But this still means you are running some random JavaScript from a third party that you need to trust1.
Now, even if you trust, you don’t need to send data from the people that are visiting your website to this place. In fact, you are at least still sending the IP address of the people visiting the pages and leaking some data there.
Worst-case scenario
If you embed third-party code on your website (and do it in a rather stupid way) an attacker that controls the endpoint from where you embed the code might do a lot of damage. Here is a non-exhaustive list of stuff they can do:
- Absolutely change any style and content of your website. Change any message you might publish there completely. Or mess up the style.
- If a website has inputs, capture all inputs. Including inputs on credit card fields or other interesting stuff.
- Redirect to a wholly different website
- Show something thoroughly different to only a certain segment of your website visitors, such as search engines or users from a different country.
So what now
While I think it’s fine to use third-party tools, just don’t embed any JavaScript from a place you don’t control. I have with my websites ensured that I have full control (or at least to the extent possible) over my pages and therefore minimised the risk for the users of my site. But then again, there was never a big risk to begin with. But as far as I know, all content served on my website is served by a service chosen by me. Images are optioned on my server and served. The same goes for any JavaScript, and I also self-host my analytics. So I don’t embed anyone’s third-party code, although I use it in the build process every so often.
In all fairness, I think the people behind jQuery are very trustworthy, as is their content delivery network, Fastly. Further, they now recommend embedding in the following way:
<script src="https://code.jquery.com/jquery-3.7.1.min.js" integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo=" crossorigin="anonymous"></script>
For embedding code, this might be the best-case scenario as the
integrity
attribute ensures that the code cannot be changed andcrossorigin="anonymous"
ensures that no cookies or anything is sent, but I would still recommend against it. ↩︎