Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ain't No Party Like a Third-Party JS Party

Ain't No Party Like a Third-Party JS Party

Rebecca Murphey

September 12, 2014
Tweet

More Decks by Rebecca Murphey

Other Decks in Technology

Transcript

  1. Ain’t No Party Like 


    a Third-Party JS Party
    Rebecca Murphey BlendConf 2014 Charlotte, N.C.

    View full-size slide

  2. @rmurphey ~ rmurphey.com
    bazaarvoice.com

    View full-size slide

  3. third-party javascript

    View full-size slide

  4.  <br/>    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){  <br/>    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new  Date();a=s.createElement(o),  <br/>    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)  <br/>    })(window,document,'script','//www.google-­‐analytics.com/analytics.js','ga');  <br/>!<br/>    ga('create',  'UA-­‐143877-­‐10',  'auto');  <br/>    ga('send',  'pageview');  <br/>!<br/>

    View full-size slide

  5. 
<br/>  
     <br/>  $BV.ui('rr',  'show_reviews',  {  <br/>        productId  :  'product1'  <br/>    });  <br/>

    View full-size slide

  6. [A] critical security error is why the
    web is beautiful and amazing, and 

    I am so happy that no one thought 

    “hey, that might be a terrible idea,”
    because I really don’t think we’d have
    as good of an ecosystem as we have
    today. Needless to say, it’s kind of
    scary that if anyone can get a script
    tag on your page, there’s nothing
    they can’t do.
    Alex Sexton, Stripe

    View full-size slide

  7. third-party javascript is consensual XSS

    View full-size slide

  8. In  1921,  early  
    suffragettes  often  donned  a  bathing  suit  and  ate  pizza  in  large  
    groups  to  annoy  men.  oQJFND2AHJ">pic.twitter.com/oQJFND2AHJ—  History  In  
    Pictures  (@historyepics)  statuses/505935577444003840">August  31,  2014  
    !
    charset="utf-­‐8">  

    View full-size slide

  9. In  1921,  early  
    suffragettes  often  donned  a  bathing  suit  and  ate  pizza  in  large  
    groups  to  annoy  men.  oQJFND2AHJ">pic.twitter.com/oQJFND2AHJ—  History  In  
    Pictures  (@historyepics)  statuses/505935577444003840">August  31,  2014  
    !
    charset="utf-­‐8">  

    View full-size slide

  10. 7 requests, 3 hosts

    View full-size slide

  11. 3pjs access demo

    View full-size slide

  12. third-party javascript is consensual XSS

    View full-size slide

  13. you’re a third-party JS consumer if
    1. your web page loads a 
<br/>from a domain you don’t control<br/>2. your JS application consumes JSONP 
<br/>from a domain you don’t control (see #1)<br/>

    View full-size slide

  14. trust no one (except if you must)
    async all the things
    understand the risks: security, perf, conflicts
    https all the things

    View full-size slide

  15. work everywhere
    BYOE(verything)
    be the fastest thing on the page
    tolerate insanity

    View full-size slide

  16. #undefined
    body double
    zombie scripts
    keypressn't

    View full-size slide

  17. https://pinboard.in/u:rmurphey/t:3pjs/

    View full-size slide

  18. @rmurphey ~ rmurphey.com
    bazaarvoice.com

    View full-size slide