Ain't No Party Like a Third-Party JS Party

Transcript

1. Ain’t No Party Like 
 a Third-Party JS Party Rebecca

   Murphey BlendConf 2014 Charlotte, N.C.

2. @rmurphey ~ rmurphey.com bazaarvoice.com

3. None

4. third-party javascript

5. <script>      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new  Date();a=s.createElement(o),    

    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)      })(window,document,'script','//www.google-­‐analytics.com/analytics.js','ga');   !    ga('create',  'UA-­‐143877-­‐10',  'auto');      ga('send',  'pageview');   ! </script>
6. None
7. None
8. None

9. <script  src="//display.ugc.bazaarvoice.com/static/Agileville/en_US/bvapi.js">
 </script>   <script>    $BV.ui('rr',  'show_reviews',  {  

          productId  :  'product1'      });   </script>

10. [A] critical security error is why the web is beautiful

    and amazing, and 
 I am so happy that no one thought 
 “hey, that might be a terrible idea,” because I really don’t think we’d have as good of an ecosystem as we have today. Needless to say, it’s kind of scary that if anyone can get a script tag on your page, there’s nothing they can’t do. Alex Sexton, Stripe

11. third-party javascript is consensual XSS

12. None
13. None

14. <blockquote  class="twitter-­‐tweet"  lang="en"><p>In  1921,  early   suffragettes  often  donned  a

     bathing  suit  and  ate  pizza  in  large   groups  to  annoy  men.  <a  href="http://t.co/ oQJFND2AHJ">pic.twitter.com/oQJFND2AHJ</a></p>&mdash;  History  In   Pictures  (@historyepics)  <a  href="https://twitter.com/historyepics/ statuses/505935577444003840">August  31,  2014</a></blockquote>   ! <script  async  src="//platform.twitter.com/widgets.js"   charset="utf-­‐8"></script>  

15. <blockquote  class="twitter-­‐tweet"  lang="en"><p>In  1921,  early   suffragettes  often  donned  a

     bathing  suit  and  ate  pizza  in  large   groups  to  annoy  men.  <a  href="http://t.co/ oQJFND2AHJ">pic.twitter.com/oQJFND2AHJ</a></p>&mdash;  History  In   Pictures  (@historyepics)  <a  href="https://twitter.com/historyepics/ statuses/505935577444003840">August  31,  2014</a></blockquote>   ! <script  async  src="//platform.twitter.com/widgets.js"   charset="utf-­‐8"></script>  

16. 7 requests, 3 hosts

17. 107k

18. None

19. 3pjs access demo

20. third-party javascript is consensual XSS

21. you’re a third-party JS consumer if 1. your web page

    loads a <script> 
 from a domain you don’t control 2. your JS application consumes JSONP 
 from a domain you don’t control (see #1)

22. trust no one (except if you must) async all the

    things understand the risks: security, perf, conflicts https all the things
23. None

24. work everywhere BYOE(verything) be the fastest thing on the page

    tolerate insanity

25. #undefined body double zombie scripts keypressn't

26. https://pinboard.in/u:rmurphey/t:3pjs/

27. @rmurphey ~ rmurphey.com bazaarvoice.com