Inline Javascript vs External - Is one more secure than the other?

Question

A question that I've wondered about every now and again over the years but never really bothered to find a definitive answer to.

We know it's possible to manipulate both inline and external scripts via the console, but are there any small security benefits of one over the other?

Is it a bit harder to manipulate one of them or are they both equally vulnerable?

Answer 1

Possible Issues With Inline JavaScript

The main disadvantage of inline JavaScript is the potential of Cross-site Scripting. Essentially, a trusted website can unintentionally render code (in this case JavaScript) that can perform any number malicious acts. A simple example of an inline JavaScript security issue can be found here.

---

Content Security Policies

When JavaScript is externalized, you can establish a Content Security Policy that trusts external JavaScript that is loaded from your website (and other websites if needed) and block all inline JavaScript from executing. Essentially, you are establishing that all of your externally loaded resources are safe, and that if by chance any JavaScript tries to execute inline, then block the attempt.

---

Additional Steps

It should be noted, however, that safeguards should be established as a first line of defense to "clean" incoming and outgoing text. It should be assumed that any user input, incoming or outgoing, could be malicious. Plan accordingly.

The following links have more information:

• Content Security Policies.
• Disabling inline JavaScript for security