Reputation: 266
What can people do with javascript includes?
We're talking to a 3rd party to include some of their data on a website of ours, they want to do it either through an iframe which I don't prefer because of responsiveness reasons.
The other options they offer is the inclusion of a javscript file which will take a parameter to know what DOM element to put the results in.
Basically this gives them access to the javascript scope of our website in which if they wanted can do stuff like hide dom objects etc.
My question is, are there any security things I have to think off? Can they in their javascript for example write malacious code that in the end reads .php files from our server and get passwords from config files etc? Or is the only thing they can do DOM related?
Upvotes: 1
Views: 70
Answers (4)
Reputation: 1075049
Can they in their javascript for example write malacious code that in the end reads .php files from our server and get passwords from config files etc?
They can do anything in the JavaScript code you're including on your page for them that you can do in JavaScript code on that page. So that could be just about anything you can do client-side. It includes (for instance) grabbing session information that's exposed to your page and being able to send that information elsewhere.
If you don't trust them not to do that, don't include their JavaScript in your page.
We're talking to a 3rd party to include some of their data on a website of ours
Have them make that information available as data, not code, you request via ajax, and have them enable Cross-Origin Resource Sharing for the URL in question for requests from your origin. Then, you know you're just getting their data, not letting them run code.
Note that using JSONP instead of CORS will enable them to run code again, so it would have to be true ajax with CORS if you don't trust them.
Upvotes: 2
Reputation: 20909
You're essentially giving them trusted XSS privileges.
If you can do something in a web browser (make posts, "browse" a page, etc), you can automate it using JavaScript. They won't be able to upload/modify your PHP files unless you (or your users) can.
To the user, you're giving them to capability to impersonate you.
To you, you're giving them the capability to impersonate users.
Upvotes: 2
Reputation: 513
You shouldn't have to worry about PHP files, or config files but stealing session cookies or other XSS-style attacks could definitely be an issue.
Why can't/won't they provide data in the form of an API?
Upvotes: 1
Reputation: 307
They could:
Take control of users' cookies, including reading and modifying them.
Redirect the user to any site they would like.
Embed any code they would like into the page.
They can't:
- Access php files directly.
- Access any server files directly.
Javascript runs in the browser and not on the server.
Upvotes: 2
Related Questions
- Security Issues for allowing users to add own JavaScript to your site?
- What does external javascript can access on website. Asking for security reasons
- Javascript security on a server
- Javascript Security
- securing javascript source code
- Potential malicious uses of javascript?
- What harm can javascript do?
- external script usage in javascript
- Javascript reference external script file - security implications
- Security and JavaScript files containing a site's logic