Security Error - The page includes one or more script files from a third-party domain

Question

I'm trying to embed "Authentication via Google" to a simple web app I am working on. I used following code to do this.

<html>
<head>
    <title> Home </title>
    <script src = "https://apis.google.com/js/platform.js?onload=onLoadCallback" ></script>
    <script>
        function changePage() {
            if (!gapi.auth2.getAuthInstance().isSignedIn.get()) {
                window.location.href = "login.jsp";
            }
        }
    </script>
    <script>
        gapi.load('auth2', function () {
            gapi.auth2.init().then(changePage);
        });

    </script>
    <script>

    </script>
    <script>
        var user;
        function signOut() {
            var auth2 = gapi.auth2.getAuthInstance();
            user = auth2.signOut().then(changePage);
        }
        ;
    </script>
    <meta name="google-signin-client_id" content="xxxxxxxxxxxx">

</head>
<body style="background-color:azure;">
<div class="vertcal-center">
    <div class="myclass">

        <h1>Welcome to home page
            </h1>
                <button type="button" class="button" onclick="signOut()">Log Out</button>
    </div>
</div>
</body>
</html>

However, when I ran ZAP analysis on my code, it gives me a Low Risk alert saying "The page includes one or more script files from a third-party domain" . It points to following line as the line with the issue.

<script src = "https://apis.google.com/js/platform.js?onload=onLoadCallback" ></script>

I refer OWASP tutorial which describes about this issue, and I understand that this can introduce the 3 risks they have mentioned which are

1. The loss of control over changes to the client application.

2. The execution of arbitrary code on client systems.

3. The disclosure or leakage of sensitive information to 3rd parties.

However, I also understand that if I am going to use Google authentication, I'll have to trust Google and assume that they won't do anything bad here.

Is there any better way to do this in my code so that ZAP will not warn me?

Is it okay to ignore this alert?

Answer 1

The way this rule works is described in the help that comes with ZAP, which is also available online: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules#cross-domain-script-inclusion :

Cross Domain Script Inclusion

Validates whether or not scripts are included from domains other than the domain hosting the content. By looking at the "src" attributes of "script" tags in the response. Allowed Cross-Domain scripts:

• Any script with a non-empty "integrity" attribute is ignored - the integrity value is not checked as this will be checked by the browser
• At MEDIUM and HIGH thresholds if a script URL falls within a context that also includes the URL of the base message no alerts will be raised.

So you can either specify an 'integrity' attribute or create a context and include in it all of the domains you trust.

Answer 2

What ZAP looks at is the hostname of your web page and the hostname of the embedded javascripts. Since your website hostname will not be google.com anyway, ZAP will always complain. Only thing is we are trusting the external JS. But you can download the external JS file and host it within your web app. That way you are calling your own JS file and then ZAP will ignore it. However, if google modifies the JS file after that, your local JS file won't get the new modifications. So my opinion is you can justify this and ignore the issue in ZAP report.

When you are using external javascripts, make sure to check if they have any reported known vulnerabilities. You can refer [1] to know more information for a similar topic.

[1] https://medium.com/@PrakhashS/using-retire-js-with-zap-to-identify-vulnerabilities-in-javascript-libraries-7baad56690aa#.cotei58mk