Ways to protect site from external minified JS code

Question

I understand the best way would be not to have the external JS at all, but alas, it's not possible.

Situation

The owner of a site wants (no ifs/ands/orButs) to get paid by a company that offers gambling ads. This company states that in order for them to offer said ads the owner of the site must add a JS code to the site. Said JS code is a few lines, but essentially it creates a tag <script> and loads a minified external JS file located in the publicity company's server. They do different kinds of ads (pop-ups, etc) and some other things that require the code.

There's no discussing not going through with this, I wanted to know if there were any kind of layers of security I might be able to add in order to protect site viewers. I know they are still in danger, but there's not much else I can do.

Things to do

• Copy the external JS file and serve it from site owner's server (or is that a horrible idea? The thing is, at least this way they can't be changing it to their heart's content, since it's in the site owner's server).
• Not loading the JS file in any page that has Login forms.
• Only load the JS file where the publicity will be shown.
• Not load the JS file is user if signed in
• Modify JS file so that it has its own scope (function(){})() .

Anything else I could possibly do? Or am I simply fooling myself in thinking I can offer some feeble protection?

Answer 1

Things to do:

• Use a CDN that supports versions (almost every modern CDNs supports that) so you don't need to host these JS files yourself, and you don't need to worry about the fact that the file might change.

• Only run your JS on login pages

• For ads, use iframe elements, so the JS code for ads can't access external information

• Use Subresource Integrity (SRI) on script tags

Example with jQuery

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>

• As Karl Graham mentioned, use Content Security Policy (CSP) in an HTTP Header, so content can't leak.

• Make sure to use SSL Certificates (HTTPS), and to encrypt content when you do AJAX/Fetch requests so even if an external script listens to FetchEvents, it won't be able to read the data.

I'm almost certain that if you follow these rules, your external script won't be able to get your form content.

Answer 2

There are a few ways that may allow you to secure your page with external scripts. First create a content security policy. This basically tells the browser where it can load different types of content from so if the third party starts loading content from new sources without telling you first they will be blocked.

Secondly the script-src tag. This allows you to specify a hash of the script tag and if it changes the browser won't run it.

There is a much better write up on these and more on Troy Hunt blog specifically this page https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/