Ain't No Party Like a Third-Party JS Party

Slide 1

Slide 1 text

Ain’t No Party Like   a Third-Party JS Party Rebecca Murphey BlendConf 2014 Charlotte, N.C.

Slide 2

Slide 2 text

@rmurphey ~ rmurphey.com bazaarvoice.com

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

third-party javascript

Slide 5

Slide 5 text

(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-‐analytics.com/analytics.js','ga'); ! ga('create', 'UA-‐143877-‐10', 'auto'); ga('send', 'pageview'); !

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

  $BV.ui('rr', 'show_reviews', { productId : 'product1' });

Slide 10

Slide 10 text

[A] critical security error is why the web is beautiful and amazing, and   I am so happy that no one thought   “hey, that might be a terrible idea,” because I really don’t think we’d have as good of an ecosystem as we have today. Needless to say, it’s kind of scary that if anyone can get a script tag on your page, there’s nothing they can’t do. Alex Sexton, Stripe

Slide 11

Slide 11 text

third-party javascript is consensual XSS

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

In 1921, early suffragettes often donned a bathing suit and ate pizza in large groups to annoy men. pic.twitter.com/oQJFND2AHJ
— History In Pictures (@historyepics) August 31, 2014

Slide 15

Slide 15 text

In 1921, early suffragettes often donned a bathing suit and ate pizza in large groups to annoy men. pic.twitter.com/oQJFND2AHJ
— History In Pictures (@historyepics) August 31, 2014

Slide 16

Slide 16 text

7 requests, 3 hosts

Slide 17

Slide 17 text

107k

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

3pjs access demo

Slide 20

Slide 20 text

third-party javascript is consensual XSS

Slide 21

Slide 21 text

you’re a third-party JS consumer if 1. your web page loads a   from a domain you don’t control 2. your JS application consumes JSONP   from a domain you don’t control (see #1)

Slide 22

Slide 22 text

trust no one (except if you must) async all the things understand the risks: security, perf, conﬂicts https all the things

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

work everywhere BYOE(verything) be the fastest thing on the page tolerate insanity

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text