fergal — 2013-09-09T16:43:33-04:00 — #1
An advertiser would like to add the code below to my site, for privacy reasons I've removed the URL from the code.
Would adding that code be a security risk?
If it is, is there anything I can do, besides not adding the code, to alleviate the risk?
felgall — 2013-09-09T17:58:01-04:00 — #2
The risk would depend on what that script contains. As an advertiser's script what it most likely contains is the code to add their edvertisement into your page and probably calls to a cookie to track who sees their ad. If that is all that their script contains (which is likely) then there is no risk to you in using it. People visiting your page can stop the script tracking them by disabling third party cookies and can stop the ad displaying at all using an ad blocker.
jeff_mott — 2013-09-09T19:08:52-04:00 — #3
Technically yes, it's a security risk. Allowing a third party to execute arbitrary JS means they could steal session cookies, which could allow them to log in, for example, as an admin. You're trusting that the advertiser's JS doesn't contain anything harmful, or that something harmful won't be inserted at some point in the future.
I vaguely recall reading that you can protect against this by loading the third party JS in a frame. Your parent frame JS can invoke the third party code, but the third party JS can't escape it's frame. There may be more to it than that, and I may be mis-remembering as well, but that should give you something specific to research.
mittineague — 2013-09-10T01:13:06-04:00 — #4
As felgall said, if that's all the script does you should be OK.
Ask yourself 2 questions.
Do you have complete trust that the source won't ever do anything malicious?
Do you have complete trust that the source site's security will prevent anyone from modifying the script file?
fergal — 2013-09-10T05:46:30-04:00 — #5
Thanks for your replies, that is very helpful.
The script in question is hosted on Google's appspot.com, should that give me any reassurance? Just to clarify, I'm dealing with a third party, not with Google.
Those are great questions and have given me a lot to think about, thanks for that.
eastcoast — 2013-09-13T18:33:29-04:00 — #6
No, in fact I'd say that it would give me more doubt - all the big ad vendors (who you could trust) generally use their own hosting/cdn, so in effect you are dealing with a lesser known quantity that is outsourcing its hosting.
fergal — 2013-09-19T07:40:51-04:00 — #7
Thanks for your reply @EastCoast.
I'm more than a little bit embarrassed to say this, but for the benefit of others who may be viewing this thread, I installed the code / script on my site and unfortunately it damaged some of the site templates. The code has now been removed and the major issues have been fixed (there are still some templates that need to be repaired). I don't believe that there was anything malicious involved, just that the developers didn't code or test the script as well as they thought they did.
What I really should have done was test the script on a test site before letting it anywhere near the live site. The advice I received in this topic was excellent, but I made an error of judgement.